CVE-2021-25958: 
Apache OFBiz vulnerability analysis and mitigation

Apache OFBiz versions v17.12.01 to v17.12.07 contain a sensitive information disclosure vulnerability identified as CVE-2021-25958. The vulnerability was discovered and disclosed on August 30, 2021. The issue occurs when handling errors through try-catch exceptions at multiple locations, which can leak sensitive table information that could aid attackers in reconnaissance (NVD, Mend).

The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information). It has a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue manifests when a user attempts to login with a very long password that exceeds the storage capacity of the UserLoginHistory.passwordUsed field, causing an exception that reveals sensitive database information (NVD).

The vulnerability allows unauthorized access to sensitive table information through error messages, which could be leveraged by attackers for reconnaissance purposes. The exposure of internal system information could potentially aid attackers in planning more targeted attacks against the system (Mend).

The vulnerability has been fixed in Apache OFBiz version 17.12.08. The patch modifies the password storage mechanism to handle cases where the password exceeds the database field capacity by implementing a size check and storing a fixed string instead of the actual password when it's too long (GitHub Patch).