CVE-2023-51467
Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
9
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
La vulnerabilidad permite a los atacantes omitir la autenticación para lograr Server-Side Request Forgery (SSRF) simple.
*Credits:
Hasib Vhora, Senior Threat Researcher, SonicWall , Gao Tian, L0ne1y
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-12-20 CVE Reserved
- 2023-12-26 CVE Published
- 2023-12-31 First Exploit
- 2024-08-19 CVE Updated
- 2024-10-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (20)
URL | Date | SRC |
---|---|---|
https://issues.apache.org/jira/browse/OFBIZ-12873 | 2024-01-04 |
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv | 2024-01-04 | |
https://lists.apache.org/thread/oj2s6objhdq72t6g29omqpcbd1wlp48o | 2024-01-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | < 18.12.11 Search vendor "Apache" for product "Ofbiz" and version " < 18.12.11" | - |
Affected
|