Apache OFBiz URL ReDoS pre-18.12.06
CVE-2022-29158 Published on September 2, 2022
Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
Weakness Type
What is a ReDoS Vulnerability?
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:
CVE-2022-29158 has been classified to as a ReDoS vulnerability or weakness.
Products Associated with CVE-2022-29158
Want to know whenever a new CVE is published for Apache OFBiz? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache OFBiz:- Version Apache OFBiz, <= 18.12.05 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.