Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz
CVE-2022-29158

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 2 September 2022

Summary

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

Affected Version(s)

Apache OFBiz Apache OFBiz <= 18.12.05

References

https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2j...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/09/02/5

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 2, 2022
Vulnerability Reserved
Apr 13, 2022

Collectors

NVD DatabaseMitre Database

Credit

Tony Torralba and Joseph Farebrother from the GitHub CodeQL team.