Security

Security Vulnerabilities

Please see the ASF Security Team webpage for further information about reporting a security vulnerability as well as their contact information.

We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.

Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. Rather create bugs reports in our issue tracker (Jira) for that. Please don't create Jira issues for unauth (aka pre-auth) reports, thanks in advance.

One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because we highly suggest to OFBiz users to not use credentials demo in production and we expect OFBiz users to do so. We also warn our users on the "Keeping OFBiz secure wiki page". And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.

List of Known Vulnerabilities

• CVE-2021-44832; affected all releases before 17.12.09 and 18.12.05; fixed in 17.12.09 and 18.12.05 with commits 00896e7, c69bc8f, 5b6e427
• CVE-2021-45105; affected all releases before 17.12.09 and 18.12.04; fixed in 17.12.09 and 18.12.04 with commits 00896e7, c69bc8f, 4442c2a
• CVE-2021-44228; affected all releases before 17.12.09 and 18.12.03; fixed in 17.12.09 and 18.12.03 with commits 00896e7, c69bc8f, bccf140
• CVE-2021-37608; affected all releases before 17.12.08; fixed in 17.12.08 with commit 8d49af4
• CVE-2021-30128; affected all releases before 17.12.07; fixed in 17.12.07 with commits 643b9c7 a343812 62e657f fcc0078 3f97578 7fd9d05.
• CVE-2021-29200; affected all releases before 17.12.07; fixed in 17.12.07 with commit 1bc8a20.
• CVE-2021-26295; affected all releases before 17.12.07; fixed in 17.12.06 with commit af9ed4e.
• CVE-2020-9496; affected releases: 17.12.03; fixed in 17.12.04.
• CVE-2020-13923; affected all releases before 17.12.04; fixed in 17.12.04.
• CVE-2019-12425; affected releases: 17.12.01; fixed in 17.12.03 with commit 793628b.
• CVE-2019-0235; affected releases: 17.12.01; fixed in 17.12.03 with commits 82ef7a5, 62f9b45.
• CVE-2020-1943; affected releases: from 16.11.01 to 16.11.07; fixed in 17.12.01.
• CVE-2019-12426; affected releases: from 16.11.01 to 16.11.06; fixed in 16.11.07 with revision 1869887.
• CVE-2018-17200; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1850017, 1850019.
• CVE-2019-0189; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions specified in OFBIZ-10770, OFBIZ-10837.
• CVE-2019-10073; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1858438, 1858543, 1860595, 1860616.
• CVE-2019-10074; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revision 1858533.
• CVE-2018-8033; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833708, 1836141.
• CVE-2011-3600; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833724, 1833708, 1836141.
• CVE-2017-15714; affected releases: from 16.11.01 to 16.11.03; fixed in 16.11.04 with revision 1759065
• CVE-2016-6800; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1759065 and 1759218
• CVE-2016-4462; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1761978, 1761986 and 1761987
• CVE-2016-2170; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2015-3268; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2014-0232; affected releases: 12.04.03 and earlier versions (12.04.*), 11.04.04 and earlier versions (11.04.*); fixed in 12.04.04 and 11.04.05
• CVE-2013-2250; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-2137; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-0177; affected releases: 11.04.01, 10.04.04 and earlier versions (10.04.*); fixed in 11.04.02 and 10.04.05
• CVE-2012-3506; affected releases: 10.04.02, 10.04 (10.04.01); fixed in 10.04.03
• CVE-2012-1622; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2012-1621; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2010-0432; affected releases: 09.04; fixed in 09.04.01