Return-Path: X-Original-To: apmail-announce-archive@www.apache.org Delivered-To: apmail-announce-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CCE1C10841 for ; Sat, 20 Jul 2013 17:52:46 +0000 (UTC) Received: (qmail 67917 invoked by uid 500); 20 Jul 2013 17:51:43 -0000 Delivered-To: apmail-announce-archive@apache.org Received: (qmail 67269 invoked by uid 500); 20 Jul 2013 17:51:42 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 63481 invoked by uid 99); 20 Jul 2013 16:04:07 -0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) X-Virus-Scanned: amavisd-new at zimbra.hotwaxmedia.com From: Jacopo Cappellato Content-Type: multipart/signed; boundary="Apple-Mail=_B47CE5B6-0B23-406C-8023-6F03CEF79315"; protocol="application/pgp-signature"; micalg=pgp-sha512 Subject: [CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz Message-Id: <72651102-11EB-4E73-A0B2-CA9300AFDCBF@apache.org> Date: Sat, 20 Jul 2013 18:03:18 +0200 To: gregory draperi , security Team , "dev@ofbiz.apache.org" , "user@ofbiz.apache.org ML" , "announce@apache.org" , full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_B47CE5B6-0B23-406C-8023-6F03CEF79315 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote = users to execute arbitrary UEL functions in OFBiz Vendor: The Apache Software Foundation Versions Affected: Apache OFBiz 10.04.01 to 10.04.05 Apache OFBiz 11.04.01 to 11.04.02 Apache OFBiz 12.04.01 Description: Parameter values are not correctly validated and if JUEL metacharacters = are included they are interpreted. Mitigation: 10.04.x users should upgrade to 10.04.06 11.04.x users should upgrade to 11.04.03 12.04.01 users should upgrade to 12.04.02 Credit: This issue was discovered by Gr=E9gory Draperi = (gregory.draperi@gmail.com). References: http://ofbiz.apache.org/download.html#vulnerabilities --Apple-Mail=_B47CE5B6-0B23-406C-8023-6F03CEF79315 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iQIcBAEBCgAGBQJR6rTGAAoJEHpYCQiEevngVXMP/1SjZEHXRBNyVjUp6dxoe6EZ 0INWM4bFYtQajaAhzuJmaWg0XpeXUw7RueSKnnAjMPFDS/e3GESEblW1sjL6stUl mX+XsOJUUduPaBFTRsJ4yXV/JCw7/CPW+IEtgbTHOw0ahBcQqUo+drFQH/9vfKC6 2VDJuo/RTm7EuF0Lc5wIYfaokZbpoNzWYwd9OUtIAPFvKKasnsLvbTEXlii8+xAo gqQbYJs7nYn1BRL9+03k2b0PMPNvCwue8ynVISdVelCeow9lehEiPOCq2xYMIiuz pCVUbs+Pd+W1z+7reAAlAuNkPMEVdC55FGsBr2Qe7K8P+IAgu26yFuDGH0D++4o6 cf2Wx1bbvBiRgrdoz3MQQosRKlhp14U7dtt3IV/rDqTPqPduDVAw9as0j1YtHVUa 01V7vKm4w5eRRcG8M8frwfelfj5kvjYP7mgWt/6ikItHY/qQS/1wBvACbyWi7fv8 8c110X++SUxVHqoSNMdoMCYT6/weGsPaBEia7uwB7+f8eYZ27XgjazUKdjeYLSt+ nwxtsXeTEInlEtA1NdlHnDbTQo67vFumAAFXB3/vxENVvMwGc3MEy5E5SlaAu9/O B/UH5aeRVThaoIS4j7s55S+cMNgvma+zMEWxAHaiOvWOANh8kVyJfsUYmrlKUYui 2yLWuT9d7qPu72YsepQy =yl5i -----END PGP SIGNATURE----- --Apple-Mail=_B47CE5B6-0B23-406C-8023-6F03CEF79315--