Description

Webtools XMLRPC endpoint of Apache OFBiz uses unsafe java deserialization and it's vulnerable to deserialization attacks. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform a denial of service attack.

Remediation

Upgrade to the latest version of Apache OFBiz

References

Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496

Release Notes 17.12.04

Related Vulnerabilities

MovableType remote code execution

WordPress Plugin Form Manager Remote Command Execution (1.7.2)

WordPress Plugin Arigato Autoresponder and Newsletter Remote Code Execution (2.5.1.9)

Oracle Weblogic WLS-WSAT Component Deserialization RCE

WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)

Severity

High

Classification

CVE-2020-9496 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Acumonitor Insecure Deserialization Code Execution Denial Of Service