CVE-2024-23946

Apache OFBiz: Path traversal or file inclusion

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (4)

NVD, NVD, ZDI, TN

CWE (2)

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC (-)

Risk

CVSS Score

5.3 Medium

SSVC

Attend

KEV

EPSS

0.9%

Affected Products (-)

Vendors (1)

apache

Products (1)

ofbiz

Versions (1)

< 18.12.12

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (6)

General (1)

openwall

Exploits & POcs (-)

Patches (1)

apache

Advisories (4)

apache

Summary

Descriptions

Possible path traversal in Apache OFBiz allowing file inclusion.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.

Posible path traversal en Apache OFBiz permitiendo la inclusión de archivos. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema.

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the createRegister method. The issue results from outputting an error message that includes sensitive information. An attacker can leverage this vulnerability to disclose the names of internal paths used by the system.

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

*Credits: Arun Shaji from trendmicro.com

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-24 CVE Reserved
2024-02-21 CVE Published
2024-12-17 EPSS Updated
2025-02-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/02/28/9	Mailing List

URL	Date	SRC

URL	Date	SRC
https://ofbiz.apache.org/download.html	2024-03-12

URL	Date	SRC
https://issues.apache.org/jira/browse/OFBIZ-12884	2024-03-12
https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g	2024-03-12
https://ofbiz.apache.org/release-notes-18.12.12.html	2024-03-12
https://ofbiz.apache.org/security.html	2024-03-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ofbiz Search vendor "Apache" for product "Ofbiz"				< 18.12.12 Search vendor "Apache" for product "Ofbiz" and version " < 18.12.12"		-		Affected

CVE-2024-23946

Apache OFBiz: Path traversal or file inclusion

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (6)

Affected Vendors, Products, and Versions