CVE-2019-10074 (GCVE-0-2019-10074)
Vulnerability from cvelistv5
Published
2019-09-11 20:38
Modified
2024-08-04 22:10
Severity ?
CWE
  • RCE
Summary
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533
References
Impacted products
Vendor Product Version
Apache OFBiz Version: OFBiz 16.11.01 to 16.11.05
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:09.294Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[ofbiz-dev] 20190910 [CVE-2019-10074] Apache OFBiz RCE (template injection)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://s.apache.org/r49vw"
          },
          {
            "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-11006) Create customer request screen breaks when entering special characters (CVE-2019-10074)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OFBiz",
          "vendor": "Apache",
          "versions": [
            {
              "status": "affected",
              "version": "OFBiz 16.11.01 to 16.11.05"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request \"story\" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "RCE",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-13T09:06:11",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[ofbiz-dev] 20190910 [CVE-2019-10074] Apache OFBiz RCE (template injection)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://s.apache.org/r49vw"
        },
        {
          "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-11006) Create customer request screen breaks when entering special characters (CVE-2019-10074)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-10074",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OFBiz",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "OFBiz 16.11.01 to 16.11.05"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request \"story\" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "RCE"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[ofbiz-dev] 20190910 [CVE-2019-10074] Apache OFBiz RCE (template injection)",
              "refsource": "MLIST",
              "url": "https://s.apache.org/r49vw"
            },
            {
              "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-11006) Create customer request screen breaks when entering special characters (CVE-2019-10074)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2@%3Cnotifications.ofbiz.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-10074",
    "datePublished": "2019-09-11T20:38:56",
    "dateReserved": "2019-03-26T00:00:00",
    "dateUpdated": "2024-08-04T22:10:09.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10074\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2019-09-11T21:15:11.157\",\"lastModified\":\"2024-11-21T04:18:20.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request \\\"story\\\" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533\"},{\"lang\":\"es\",\"value\":\"Un RCE es posible mediante el ingreso del marcado de Freemarker en un campo textarea de Apache OFBiz Form Widget cuando la codificaci\u00f3n ha sido deshabilitada en dicho campo. Este fue el caso para la entrada de \\\"story\\\" de Customer Request en la aplicaci\u00f3n Order Manager. La codificaci\u00f3n no debe ser deshabilitada sin una buena raz\u00f3n y nunca dentro de un campo que acepte entrada del usuario. Mitigaci\u00f3n: actualice a la versi\u00f3n 16.11.06 o aplique manualmente la siguiente confirmaci\u00f3n en la derivaci\u00f3n 16.11: r1858533\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.11.01\",\"versionEndIncluding\":\"16.11.05\",\"matchCriteriaId\":\"50D14E88-0092-41C5-84BB-C30AD300B2D4\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://s.apache.org/r49vw\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://s.apache.org/r49vw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.