Apache OFBiz Nested Expression 远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166916 漏洞类型 输入验证
发布时间 2013-07-20 更新时间 2013-07-20
CVE编号 CVE-2013-2250 CNNVD-ID CNNVD-201307-476
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/61369
https://cxsecurity.com/issue/WLB-2013070159
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-476
|漏洞详情
ApacheOpenForBusinessProject(也称OFBiz)是美国阿帕奇(Apache)软件基金会的一套企业资源计划(ERP)系统。该系统提供了一整套基于Java的Web应用程序组件和工具。ApacheOFBiz中存在安全漏洞,该漏洞源于程序处理嵌套表达式存在错误。远程攻击者可通过参数中的JUEL元字符,利用该漏洞执行任意的UnifiedExpressionLanguage(UEL)函数。以下版本受到影响:ApacheOFBiz10.04.01至10.04.05版本,11.04.01至11.04.02版本及12.04.01版本。
|漏洞EXP
CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in 
OFBiz

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grgory Draperi (gregory.draperi () gmail com).

References:

http://ofbiz.apache.org/download.html#vulnerabilities
|受影响的产品
Apache OfBiz 12.4.1 Apache OfBiz 11.4.2 Apache OfBiz 11.4.1 Apache OfBiz 10.4.5 Apache OfBiz 10.4.4 Apache OfBiz 10.4.3 Apache OfBiz 10.4.2
|参考资料

来源:ofbiz.apache.org
链接:http://ofbiz.apache.org/download.html#vulnerabilities
来源:XF
名称:apache-ofbiz-cve20132250-code-exec(85875)
链接:http://xforce.iss.net/xforce/xfdb/85875
来源:BID
名称:61369
链接:http://www.securityfocus.com/bid/61369
来源:SECUNIA
名称:53910
链接:http://secunia.com/advisories/53910
来源:OSVDB
名称:95522
链接:http://osvdb.org/95522
来源:BUGTRAQ
名称:20130720[CVE-2013-2250]ApacheOFBizNestedexpressionevaluationallowsremoteuserstoexecutearbitraryUELfunctionsinOFBiz
链接:http://archives.neohapsis.com/archives/bugtraq/2013-07/0143.html