Apache OFBiz vulnerable to Path Traversal attack
CVE-2024-36104

9.1CRITICAL

Key Information:

Vendor

Apache
Status
Apache Ofbiz
Vendor
CVE Published:
4 June 2024

Badges

👾 Exploit Exists🟣 EPSS 93%📰 News Worthy

What is CVE-2024-36104?

Apache OFBiz is affected by a Path Traversal vulnerability that allows attackers to gain unauthorized access to restricted directories. This issue can lead to sensitive data exposure and requires urgent remediation. Users are strongly encouraged to upgrade to version 18.12.14 or later to mitigate this vulnerability effectively.

Affected Version(s)

Apache OFBiz 0 < 18.12.14

News Articles

favicon imageSC Media

RCE possible with critical Apache OFBiz zero-day

Such a security issue — which is a patch bypass for the already addressed path traversal flaw, tracked as CVE-2024-36104 — stems from an authentication mechanism vulnerability enabling unauthenticated access to critical endpoints.

References

https://ofbiz.apache.org/download.html
mitigation
https://ofbiz.apache.org/security.html
related
https://issues.apache.org/jira/browse/OFBIZ-13092
issue-tracking

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SC Media

  • Vulnerability published

  • Vulnerability Reserved

Credit

godspeed (AAA@ZJU)
.
CVE-2024-36104 : Apache OFBiz vulnerable to Path Traversal attack