Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Apr 2023 11:15:52 +0200
From: Jacques Le Roux <>
Cc: Arnout Engelen <>,,
 "" <>,
 "" <>
Subject: Re: CVE-2022-47501: Apache OFBiz: Arbitrary file
 reading vulnerability

Hi Seth,

I used to give more information. For this one, using our "new" internal process* (need an ASF credential) and  following step 11 of**, notably

    <<Generally, reports should contain enough information to enable people to assess the risk the vulnerability poses for their own system, and no

I restricted the information to a minimum.

With a request from Arnoult (member of the ASF security team in copy), there is though 2 points that have been changed since.

When sending to Mitre we replaced

You can see the result at

We also changed the "problem type" to be more specific. Following the CWE classification, we used "CWE-22 Improper Limitation of a Pathname to a 
Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading vulnerability" used by the finder who stayed as the CVE title. You can 
see it at which is the json version of the report.

Regarding your points:

  * the vulnerability was introduced long ago (years) when the plugin was created. It was around 2013.
  * gives indirect information about the fix. Do you suggest that we need to put a direct link like ?

Thanks for the links. We will certainly consider what can be done to ease the work of downstream distributors and consumers.



Le 18/04/2023 à 03:27, Seth Arnold a écrit :
> On Mon, Apr 10, 2023 at 09:21:11AM +0000, Jacques Le Roux wrote:
> Hello Jacques, thanks for contacting the oss-security mail list about this
> security issue in an Apache project.
> I'd like to suggest that your email would be far more useful if
> it included some details like affected versions: ideally, when a
> vulnerability was introduced, and definitely, when it was fixed, if a
> fix is available. Best would be a direct link to a patch in a source
> control system, or attaching the patch directly.
> This particular email has very few details and no references for a fix so
> it is very difficult for anyone to take concrete actions.
> Here's two recent postings that are far easier for downstream distributors
> and consumers alike to use:
> I'd like to encourage Apache to use these as inspiration for future
> oss-security postings.
> Thanks

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.