CVE-2024-45507
Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. Se recomienda a los usuarios que actualicen a la versión 18.12.16, que soluciona el problema.
*Credits:
孙相 (Sun Xiang)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-09-01 CVE Reserved
- 2024-09-04 CVE Published
- 2024-09-12 First Exploit
- 2024-09-13 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://issues.apache.org/jira/browse/OFBIZ-13132 | Issue Tracking | |
| https://ofbiz.apache.org/download.html | Mitigation |
| URL | Date | SRC |
|---|---|---|
| https://github.com/Avento/CVE-2024-45507_Behinder_Webshell | 2024-09-12 |
| URL | Date | SRC |
|---|---|---|
| https://ofbiz.apache.org/security.html | 2024-09-04 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy | 2024-09-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache OFBiz Search vendor "Apache Software Foundation" for product "Apache OFBiz" | < 18.12.16 Search vendor "Apache Software Foundation" for product "Apache OFBiz" and version " < 18.12.16" | en |
Affected
| ||||||