[ https://issues.apache.org/jira/browse/OFBIZ-11716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-11716. ----------------------------------- Fix Version/s: 17.12.04 18.12.01 Resolution: Fixed > Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) > ----------------------------------------------------------------------- > > Key: OFBIZ-11716 > URL: https://issues.apache.org/jira/browse/OFBIZ-11716 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.01, 17.12.04 > > > Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not > using authentication they are vulnerable to unsafe deserialization. > This issue was reported to the security team by Alvaro Munoz > <pwntes...@github.com> from the GitHub Security Lab team -- This message was sent by Atlassian Jira (v8.3.4#803005)