Pre-auth RCE in Apache Ofbiz Prior to 18.12.10 Due to XML-RPC No Longer Maintained
CVE-2023-49070
Key Information:
- Vendor
- Apache
- Status
- Vendor
- CVE Published:
- 5 December 2023
Badges
Summary
The vulnerability in Apache OFBiz arises from an outdated XML-RPC component, which has not been maintained and poses a risk of pre-authentication remote code execution. This issue specifically affects Apache OFBiz versions before 18.12.10, highlighting the necessity for users to upgrade to the latest version. Failure to update can leave systems open to potential exploitation.
Affected Version(s)
Apache OFBiz 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
Critical Apache OFBiz Vulnerability in Attacker Crosshairs
Shadowserver sees possible in-the-wild exploitation of a critical Apache OFBiz vulnerability tracked as CVE-2023-49070.
Authentication bypass likely with new critical Apache OFBiz zero-day
Threat actors could evade authentication protections in Apache's OFBiz enterprise resource planning system by abusing a novel critical zero-day flaw, tracked as CVE-2023-51467, reports The Hacker News.
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers
A critical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept (PoC) exploits.
References
EPSS Score
93% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved