apache ofbiz CVE-2018-17200 is a vulnerability in Apache OFBiz
Published on September 11, 2019

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019

NVD


Products Associated with CVE-2018-17200

Want to know whenever a new CVE is published for Apache OFBiz? stack.watch will email you.

Apache OFBiz
 

Affected Versions

Apache OFBiz Version OFBiz 16.11.01 to 16.11.05 is affected by CVE-2018-17200

Exploit Probability

EPSS
2.97%
Percentile
86.36%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.