Generation of Error Message Containing Sensitive Information in Apache OFBiz
CVE-2021-25958

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Ofbiz-framework
Vendor: CVE Published:; 30 August 2021

Summary

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

Affected Version(s)

ofbiz-framework v17.12.01

ofbiz-framework <= unspecified

References

https://github.com/apache/ofbiz-framework/commit/2f5b8d33...

x_refsource_MISC

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2021
Vulnerability Reserved
Jan 22, 2021