¡¾Â©¶´Í¨¸æ¡¿Apache OFBizÈÎÒâÎļþÉÏ´«Â©¶´ (CVE-2021-37608)

Ðû²¼Ê±¼ä 2021-08-12



0x00 ©¶´¸ÅÊö

CVE     ID

CVE-2021-37608

ʱ      ¼ä

2021-08-11

Àà      ÐÍ

ÎļþÉÏ´«

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°Ï췶Χ


¹¥»÷ÅÓ´ó¶È


¿ÉÓÃÐÔ

¸ß

Óû§½»»¥

ÎÞ

ËùÐèȨÏÞ


PoC/EXP

δ¹ûÈ»

ÔÚÒ°ÀûÓÃ

·ñ

 

0x01 ©¶´ÏêÇé

image.png

 

Apache OFBizÊÇÒ»¿îÆóÒµÁ÷³Ì×Ô¶¯»¯Èí¼þ£¬¿ÉÒÔ×ÊÖúÓû§ÊµÏÖÆóÒµÄÚÒµÎñµÄ×Ô¶¯»¯£¬ËüΪÓû§ÌṩÁËÈçERPÆóÒµ×ÊÔ´¹æ»®¡¢CRM¿Í»§¹Øϵ¹ÜÀíµÈ¶àÖÖ¹ÜÀí¹¦Ð§¡£

2021Äê8ÔÂ11ÈÕ£¬ApacheÐû²¼Äþ¾²Í¨¸æ£¬¹ûÈ»ÁËOFBizÖеÄÒ»¸öÈÎÒâÎļþÉÏ´«Â©¶´£¨CVE-2021-37608£©¡£ÓÉÓÚApache OFBiz´æÔÚУÑé´íÎ󣬶ñÒâ¹¥»÷Õß¿ÉÒÔÀûÓôË©¶´ÉÏ´«ÈÎÒâÎļþ£¬²¢Ô¶³ÌÖ´ÐжñÒâ´úÂë¡£

 

Ó°Ï췶Χ

Apache OFBiz < 17.12.08

 

0x02 ´¦Öý¨Òé

Ä¿Ç°´Ë©¶´ÒѾ­ÐÞ¸´¡£½¨ÒéÊÜÓ°ÏìÓû§¼°Ê±Éý¼¶¸üе½17.12.08»ò¸ü¸ß°æ±¾¡£

ÏÂÔØÁ´½Ó£º

http://ofbiz.apache.org/download.html#vulnerabilities

 

²¹¶¡Á´½Ó£º

https://issues.apache.org/jira/browse/OFBIZ-12297

 

0x03 ²Î¿¼Á´½Ó

http://mail-archives.apache.org/mod_mbox/www-announce/202108.mbox/%3C40716d3e-150d-10d6-ee27-aca4ae0480fb@apache.org%3E

https://issues.apache.org/jira/browse/OFBIZ-12297

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37608

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2021-08-12

Ê×´ÎÐû²¼

 

0x05 Îĵµ¸½Â¼

CNVD£ºwww.cnvd.org.cn

CNNVD£ºwww.cnnvd.org.cn

CVE£ºcve.mitre.org

NVD£ºnvd.nist.gov

CVSS£ºwww.first.org

 

0x06 ¹ØÓÚ¶¶È¦Îª¶Ä¶øÉú

¹Ø×¢ÒÔϹ«Öںţ¬»ñÈ¡¸ü¶à×ÊѶ£º

image.png