CVE-2024-38856

Apache OFBiz Incorrect Authorization Vulnerability

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Incorrect Authorization vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: through 18.12.14.

Users are recommended to upgrade to version 18.12.15, which fixes the issue.

Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the resolveURI method. The issue results from improper URI validation. An attacker can leverage this vulnerability to bypass authentication on the system.

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

*Credits: unam4, ruozhi, m1sn0w, kuiplatain, PaperPen@Timeline Sec, RacerZ, e0mlja, Donghyun, 4ra1n, godspeed, Hasib Vhora, pwnull, blckder02-YHLab, Xenc from SGLAB of Legendsec at Qi'anxin Group, Nicholas Zubrisky., Y4tacker

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-20 CVE Reserved
2024-08-05 CVE Published
2024-08-09 First Exploit
2024-08-27 Exploited in Wild
2024-08-31 CVE Updated
2024-09-17 KEV Due Date
2024-11-20 EPSS Updated

CWE

CWE-863: Incorrect Authorization

CAPEC

References (10)

URL	Tag	Source
https://issues.apache.org/jira/browse/OFBIZ-13128	Issue Tracking
https://ofbiz.apache.org/download.html	Mitigation
https://ofbiz.apache.org/security.html	Related

URL	Date	SRC
https://github.com/codeb0ss/CVE-2024-38856-PoC	2024-08-09
https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz	2024-08-18
https://github.com/0x20c/CVE-2024-38856-EXP	2024-08-22
https://github.com/ThatNotEasy/CVE-2024-38856	2024-08-10
https://github.com/BBD-YZZ/CVE-2024-38856-RCE	2024-08-28
https://github.com/emanueldosreis/CVE-2024-38856	2024-08-28

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w	2024-08-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache OFBiz Search vendor "Apache Software Foundation" for product "Apache OFBiz"				<= 18.12.14 Search vendor "Apache Software Foundation" for product "Apache OFBiz" and version " <= 18.12.14"		en		Affected