CVE-2022-25371
CRITICALApache OFBiz < 18.12.06 - Remote Code Execution via Birt Plugin
Title source: llmDescription
Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier.
References (4)
Core 4
Core References
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/bvp3sczqq863lxr1wh7wjvdtjbkcwspq
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/09/02/7
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/09/03/1
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/09/08/2
Scores
CVSS v3
9.8
EPSS
0.0195
EPSS Percentile
83.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
apache/ofbiz
< 18.12.06
Published
Sep 02, 2022
Tracked Since
Feb 18, 2026