CVE-2024-23946
Apache OFBiz: Path traversal or file inclusion
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Possible path traversal in Apache OFBiz allowing file inclusion.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.
Posible path traversal en Apache OFBiz permitiendo la inclusiĆ³n de archivos. Se recomienda a los usuarios actualizar a la versiĆ³n 18.12.12, que soluciona el problema.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the createRegister method. The issue results from outputting an error message that includes sensitive information. An attacker can leverage this vulnerability to disclose the names of internal paths used by the system.
*Credits:
Arun Shaji from trendmicro.com
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-01-24 CVE Reserved
- 2024-02-21 CVE Published
- 2024-03-13 EPSS Updated
- 2024-08-13 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/02/28/9 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://ofbiz.apache.org/download.html | 2024-03-12 |
| URL | Date | SRC |
|---|---|---|
| https://issues.apache.org/jira/browse/OFBIZ-12884 | 2024-03-12 | |
| https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g | 2024-03-12 | |
| https://ofbiz.apache.org/release-notes-18.12.12.html | 2024-03-12 | |
| https://ofbiz.apache.org/security.html | 2024-03-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | < 18.12.12 Search vendor "Apache" for product "Ofbiz" and version " < 18.12.12" | - |
Affected
| ||||||