{"vulnerability": "cve-2018-17200", "sightings": [{"uuid": "85aad9e7-6b81-44b8-bdc7-839e8c010565", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-17200", "type": "seen", "source": "https://t.me/cibsecurity/6688", "content": "ATENTION\u203c New - CVE-2018-17200\n\nThe Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2019-09-12T00:31:34.000000Z"}]}