Apache OFBiz: Arbitrary file properties reading and SSRF attack
CVE-2023-50968

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache OFBiz
Vendor
CVE Published:
26 December 2023

Badges

🟣 EPSS 54%πŸ“° News Worthy

Summary

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations.

The same uri can be operated to realize a SSRF attack also without authorizations.

Users are recommended to upgrade to version 18.12.11, which fixes this issue.

Affected Version(s)

Apache OFBiz 0 <= 18.12.10

News Articles

favicon imageSecurity Boulevard

Apache OFBiz Arbitrary File Reading and Remote Code Execution Vulnerabilities (CVE-2023-50968/CVE-2023-51467) Alert

Overview Recently, NSFOCUS CERT detected that Apache officially released a security announcement and fixed two high-risk vulnerabilities in Apache Ofbiz. CVE-2023-50968: Due to problems in Apache Software Foundation, unauthorized attackers can read files and carry out SSRF attacks when operating uri...

1 year ago

References

https://ofbiz.apache.org/download.html
mitigation
https://ofbiz.apache.org/security.html
related
https://ofbiz.apache.org/release-notes-18.12.11.html
release-notes

EPSS Score

54% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by Security Boulevard

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

Yun Peng - ιƒ­ 运鹏 <[email protected]>
.