{"id":"CVE-2021-29200","details":"Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack","modified":"2026-04-12T02:45:21.506512Z","published":"2021-04-27T20:15:08.827Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cannounce.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cuser.ofbiz.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cdev.ofbiz.apache.org%3E"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2021/04/27/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ofbiz-framework","events":[{"introduced":"0"},{"fixed":"717bd4ba43807ee20eafbe1d44b048b3d4f7b20c"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"17.12.07"}]}}],"versions":["release17.12.01","release17.12.03","release17.12.05","release17.12.06"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["110015357393237510422024547574110445891","103759469619733990389107269988253683292","53310710791051227402110386129181641124","338375898274596716495337317305322336620","252025656421102958553176540317162580723","326270266377966770245133828702753501876","217016609819802681141859637634855935287","156772864617605705593393775214733732284","142748572956406197153890146424230660178","242918629267813835003175391117285889672","275436613290359802416043000553657283867","327848660510616831988587361445399539602","304625182092133006104264998509195074719","226487228024108790944300977603416434887","298719494205625718619385142369913695954","189928426396389557405566135383339705472","85445592557782425591869575799430982868","331630501652662490500311835116269740470","206233465455324272214085228383807030490","93492048358034791674208089889632386451","88976781864824335147783806406434465949","144821322174533928607795755636700290308","106151073967580855851351509449120792913","115048922722834692105810608253650446279","284266970324443606099003225672678301584","240763838389343635670668203169045824818"]},"target":{"file":"framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java"},"source":"https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c","signature_type":"Line","signature_version":"v1","deprecated":false,"id":"CVE-2021-29200-5d11b77b"},{"digest":{"length":2640,"function_hash":"325160111052579006851973960307013263862"},"target":{"function":"isValidFile","file":"framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java"},"source":"https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c","signature_type":"Function","signature_version":"v1","deprecated":false,"id":"CVE-2021-29200-94ab6085"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29200.json","vanir_signatures_modified":"2026-04-12T02:45:21Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}