Apache OFBiz Logo

Security

Security Vulnerabilities

We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum. Please report only one vulnerability by email. Else, it makes things more complicated for us, thanks!

Please see the ASF Security Team webpage for further information about reporting a security vulnerability as well as their contact information.

You might be interested by our Keeping OFBiz secure wiki page.

List of Known Vulnerabilities

  • CVE-2018-17200; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1850017, 1850019.
  • CVE-2019-0189; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions specified in OFBIZ-10770, OFBIZ-10837.
  • CVE-2019-10073; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1858438, 1858543, 1860595, 1860616.
  • CVE-2019-10074; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revision 1858533.
  • CVE-2018-8033; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833708, 1836141.
  • CVE-2011-3600; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833724, 1833708, 1836141.
  • CVE-2017-15714; affected releases: from 16.11.01 to 16.11.03; fixed in 16.11.04 with revision 1759065
  • CVE-2016-6800; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1759065 and 1759218
  • CVE-2016-4462; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1761978, 1761986 and 1761987
  • CVE-2016-2170; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
  • CVE-2015-3268; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
  • CVE-2014-0232; affected releases: 12.04.03 and earlier versions (12.04.*), 11.04.04 and earlier versions (11.04.*); fixed in 12.04.04 and 11.04.05
  • CVE-2013-2250; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
  • CVE-2013-2137; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
  • CVE-2013-0177; affected releases: 11.04.01, 10.04.04 and earlier versions (10.04.*); fixed in 11.04.02 and 10.04.05
  • CVE-2012-3506; affected releases: 10.04.02, 10.04 (10.04.01); fixed in 10.04.03
  • CVE-2012-1622; affected releases: 10.04 (10.04.01); fixed in 10.04.02
  • CVE-2012-1621; affected releases: 10.04 (10.04.01); fixed in 10.04.02
  • CVE-2010-0432; affected releases: 09.04; fixed in 09.04.01