skip to content
Back to
Home Bounties Research Advisories Get Involved Events
August 12, 2020

GHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496

Alvaro Munoz


Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.


Apache Ofbiz

Tested Version



Unsafe deserialization of XMLRPC arguments

OfBiz exposes an XMLRPC endpoint at /webtools/control/xmlrpc. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.


This issue leads to pre-auth Remote Code Execution


Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include the GHSL-2020-069 in any communication regarding this issue.