CVE-2022-29158

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/09/02/5	Mailing List Patch Third Party Advisory
https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928	Mailing List Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/09/02/5	Mailing List Patch Third Party Advisory
https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928	Mailing List Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:58

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2022/09/02/5 - Mailing List, Patch, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2022/09/02/5 - Mailing List, Patch, Third Party Advisory
References	~~() https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928 - Mailing List, Patch, Vendor Advisory~~	() https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928 - Mailing List, Patch, Vendor Advisory

21 Jul 2023, 16:38

Type	Values Removed	Values Added
CWE	~~NVD-CWE-Other~~	CWE-1333

Information

Published : 2022-09-02 07:15

Updated : 2024-11-21 06:58

NVD link : CVE-2022-29158

Mitre link : CVE-2022-29158

CVE.ORG link : CVE-2022-29158

JSON object : View

Products Affected

apache

ofbiz

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2022-29158", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-09-02T07:15:07.630", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/09/02/5", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2022/09/02/5", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-1333"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599"}, {"lang": "es", "value": "Apache OFBiz versiones hasta 18.12.05, es vulnerable a la Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) en la forma en que maneja las URLs proporcionadas por usuarios externos no autenticados. Actualice a versi\u00f3n 18.12.06 o aplique los parches en https://issues.apache.org/jira/browse/OFBIZ-12599"}], "lastModified": "2024-11-21T06:58:36.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B41AC544-FCCD-4136-BA78-4BA21DB66095", "versionEndExcluding": "18.12.06"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}