CVE-2024-32113
Apache OFBiz Path Traversal Vulnerability
Severity Score
9.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
4
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Act
*SSVC
Descriptions
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
LimitaciĆ³n inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versiĆ³n 18.12.13, que soluciona el problema.
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.
*Credits:
Qiyi Zhang (RacerZ) @secsys from Fudan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Act
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-04-11 CVE Reserved
- 2024-05-08 CVE Published
- 2024-05-19 First Exploit
- 2024-08-07 Exploited in Wild
- 2024-08-08 CVE Updated
- 2024-08-28 KEV Due Date
- 2024-10-29 EPSS Updated
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/05/09/1 |
|
|
| https://issues.apache.org/jira/browse/OFBIZ-13006 | Issue Tracking | |
| https://ofbiz.apache.org/download.html | Mitigation | |
| https://ofbiz.apache.org/security.html | Related |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/52020 | 2024-05-19 | |
| https://github.com/Mr-xn/CVE-2024-32113 | 2024-06-03 | |
| https://github.com/RacerZ-fighting/CVE-2024-32113-POC | 2024-08-05 | |
| https://github.com/YongYe-Security/CVE-2024-32113 | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd | 2024-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache OFBiz Search vendor "Apache Software Foundation" for product "Apache OFBiz" | < 18.12.13 Search vendor "Apache Software Foundation" for product "Apache OFBiz" and version " < 18.12.13" | en |
Affected
| ||||||