OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

From: Jacopo Cappellato (jacopocapache.org)
Date: Sat Jul 20 2013 - 11:03:18 CDT


CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grégory Draperi (gregory.draperigmail.com).

References:

http://ofbiz.apache.org/download.html#vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

iQIcBAEBCgAGBQJR6rTGAAoJEHpYCQiEevngVXMP/1SjZEHXRBNyVjUp6dxoe6EZ
0INWM4bFYtQajaAhzuJmaWg0XpeXUw7RueSKnnAjMPFDS/e3GESEblW1sjL6stUl
mX+XsOJUUduPaBFTRsJ4yXV/JCw7/CPW+IEtgbTHOw0ahBcQqUo+drFQH/9vfKC6
2VDJuo/RTm7EuF0Lc5wIYfaokZbpoNzWYwd9OUtIAPFvKKasnsLvbTEXlii8+xAo
gqQbYJs7nYn1BRL9+03k2b0PMPNvCwue8ynVISdVelCeow9lehEiPOCq2xYMIiuz
pCVUbs+Pd+W1z+7reAAlAuNkPMEVdC55FGsBr2Qe7K8P+IAgu26yFuDGH0D++4o6
cf2Wx1bbvBiRgrdoz3MQQosRKlhp14U7dtt3IV/rDqTPqPduDVAw9as0j1YtHVUa
01V7vKm4w5eRRcG8M8frwfelfj5kvjYP7mgWt/6ikItHY/qQS/1wBvACbyWi7fv8
8c110X++SUxVHqoSNMdoMCYT6/weGsPaBEia7uwB7+f8eYZ27XgjazUKdjeYLSt+
nwxtsXeTEInlEtA1NdlHnDbTQo67vFumAAFXB3/vxENVvMwGc3MEy5E5SlaAu9/O
B/UH5aeRVThaoIS4j7s55S+cMNgvma+zMEWxAHaiOvWOANh8kVyJfsUYmrlKUYui
2yLWuT9d7qPu72YsepQy
=yl5i
-----END PGP SIGNATURE-----