CVE-2024-32113
Apache OFBiz Path Traversal Vulnerability
Severity Score
9.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
6
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Act
*SSVC
Descriptions
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
LimitaciĆ³n inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versiĆ³n 18.12.13, que soluciona el problema.
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.
*Credits:
Qiyi Zhang (RacerZ) @secsys from Fudan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Act
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-04-11 CVE Reserved
- 2024-05-08 CVE Published
- 2024-05-19 First Exploit
- 2024-08-07 Exploited in Wild
- 2024-08-28 KEV Due Date
- 2025-02-13 CVE Updated
- 2025-03-30 EPSS Updated
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/05/09/1 |
|
|
| https://issues.apache.org/jira/browse/OFBIZ-13006 | Issue Tracking | |
| https://ofbiz.apache.org/download.html | Mitigation | |
| https://ofbiz.apache.org/security.html | Related |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/179138 | 2024-06-18 | |
| https://www.exploit-db.com/exploits/52020 | 2024-05-19 | |
| https://github.com/Mr-xn/CVE-2024-32113 | 2024-06-03 | |
| https://github.com/RacerZ-fighting/CVE-2024-32113-POC | 2024-08-05 | |
| https://github.com/YongYe-Security/CVE-2024-32113 | 2024-08-07 | |
| https://github.com/MikeyPPPPPPPP/CVE-2024-32113 | 2024-12-25 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd | 2024-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache OFBiz Search vendor "Apache Software Foundation" for product "Apache OFBiz" | < 18.12.13 Search vendor "Apache Software Foundation" for product "Apache OFBiz" and version " < 18.12.13" | en |
Affected
| ||||||