Apache OFBiz: Arbitrary file properties reading and SSRF attack
CVE-2023-50968

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Ofbiz
Vendor
CVE Published:
26 December 2023

Badges

🟣 EPSS 53%📰 News Worthy

Summary

An arbitrary file properties reading vulnerability exists in Apache OFBiz that allows unauthorized users to execute URI calls without proper access controls. This vulnerability also opens the door to a possible Server-Side Request Forgery (SSRF) attack, enabling unauthenticated users to manipulate requests to internal systems. It is critical for users of affected versions to upgrade to version 18.12.11 to mitigate these security risks.

Affected Version(s)

Apache OFBiz 0 <= 18.12.10

News Articles

favicon imageSecurity Boulevard

Apache OFBiz Arbitrary File Reading and Remote Code Execution Vulnerabilities (CVE-2023-50968/CVE-2023-51467) Alert

Overview Recently, NSFOCUS CERT detected that Apache officially released a security announcement and fixed two high-risk vulnerabilities in Apache Ofbiz. CVE-2023-50968: Due to problems in Apache Software Foundation, unauthorized attackers can read files and carry out SSRF attacks when operating uri...

References

https://ofbiz.apache.org/download.html
mitigation
https://ofbiz.apache.org/security.html
related
https://ofbiz.apache.org/release-notes-18.12.11.html
release-notes

EPSS Score

53% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Security Boulevard

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yun Peng - 郭 运鹏 <[email protected]>
.