PT-2021-2512 · Apache · Apache Ofbiz

Jacques Le Roux

Published

2021-03-22

Updated

2025-07-31

CVE-2021-26295

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 17.12.06

Description The issue is related to unsafe deserialization in Apache OFBiz, allowing an unauthenticated attacker to take over the system. This can impact the confidentiality, integrity, and availability of protected information. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. A high severity remote code execution flaw in Apache OFBiz could have allowed attackers to take over the ERP system.

Recommendations For Apache OFBiz versions prior to 17.12.06, update to version 17.12.06 or later to resolve the issue. As a temporary workaround, consider restricting access to the system to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2021-01889

CVE-2021-26295

Affected Products

Apache Ofbiz

PT-2021-2512 · Apache · Apache Ofbiz

CVE-2021-26295

Weakness Enumeration

Related Identifiers

Affected Products

References · 43