Apache OFBiz vulnerable to Path Traversal attack
CVE-2024-36104

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 4 June 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

Apache OFBiz is affected by a Path Traversal vulnerability that allows attackers to gain unauthorized access to restricted directories. This issue can lead to sensitive data exposure and requires urgent remediation. Users are strongly encouraged to upgrade to version 18.12.14 or later to mitigate this vulnerability effectively.

Affected Version(s)

Apache OFBiz 0 < 18.12.14

News Articles

SC Media

CVE-2024-36104

RCE possible with critical Apache OFBiz zero-day

Such a security issue — which is a patch bypass for the already addressed path traversal flaw, tracked as CVE-2024-36104 — stems from an authentication mechanism vulnerability enabling unauthenticated access to critical endpoints.

References

https://ofbiz.apache.org/download.html

mitigation

https://ofbiz.apache.org/security.html

https://issues.apache.org/jira/browse/OFBIZ-13092

issue-tracking

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Aug 7, 2024
📰
First article discovered by SC Media
Aug 7, 2024
Vulnerability published
Jun 4, 2024
Vulnerability Reserved
May 20, 2024

Credit

godspeed (AAA@ZJU)

Key Information:

Badges

Summary

Affected Version(s)

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

RCE possible with critical Apache OFBiz zero-day

References

CVSS V3.1

Timeline

Credit