{"id":"CVE-2021-25958","details":"In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.","modified":"2026-05-30T17:18:31.797611Z","published":"2021-08-30T14:15:07.117Z","references":[{"type":"ADVISORY","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958"},{"type":"FIX","url":"https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ofbiz-framework","events":[{"introduced":"8ff603476a8b1ab568858d8910615f846682d4cb"},{"fixed":"2b17c50ce7fc821011a5864f194d2933a80f6bbd"},{"fixed":"2f5b8d33e32c4d9a48243cf9e503236acd5aec5c"}],"database_specific":{"extracted_events":[{"introduced":"17.12.01"},{"fixed":"17.12.08"}],"cpe":"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["release17.12.07","release17.12.06","release17.12.05","release17.12.03","release17.12.01"],"database_specific":{"vanir_signatures_modified":"2026-05-30T17:18:31Z","vanir_signatures":[{"target":{"function":"userLogin","file":"framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java"},"signature_version":"v1","id":"CVE-2021-25958-68c2aada","signature_type":"Function","digest":{"length":9902,"function_hash":"144741747658494383120476548327941776878"},"deprecated":false,"source":"https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c"},{"target":{"file":"framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java"},"signature_version":"v1","id":"CVE-2021-25958-878807ce","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["32606632593640065468248210987821879733","200531111477409553662999894105605923374","289972015497303555041083521210063810923","109116416936946298742679716383752612640","81953033587050882691275832451472073088","267617210043281553941494801289174868686","34404009237307586345414036235181602538","149820428946309151202528442026414149188","159870138285328821481411082755674453957","138358119217820591267769456432040003640","187105862044598432451416096314680360342","296823163663119527232475368969174385688","177236513552390191257737232870915070621","339660004404640386518045384322311395283","199462711897053384151894667093735741136","73522910456790200690367155376074993387"]},"deprecated":false,"source":"https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25958.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}