Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
As reported by Jie Zhu: <<The latest version of the OFBiz framework (17.12.08) is affected by an XMLRPC Remote Code Execution Vulnerability. This vulnerability is caused by incomplete patch repair of cve-2020-9496.>> Actually this is not an OFBiz bug (so not related to CVE-2020-9496) but an old XMLRPC bug (Archiva was(/is?)) also affected: https://nvd.nist.gov/vuln/detail/CVE-2016-5003 Unfortunately XMLRPC is no longer maintained, so it's OFBiz responsibility to fix this bug. As the code that secures serialisation in OFBiz is not reached by this bug, the solution is to secure it at the ContextFilter class level (ie before it reaches secured serialisation in OFBiz source). Thanks: Jie Zhu for report and help.
- Loading branch information