Server-Side Request Forgery (SSRF) and Improper Control of Generation of Code (Code Injection) Vulnerability in Apache OFBiz

CVE-2024-45507

9.8CRITICAL

Key Information

Vendor
Apache
Status
Apache Ofbiz
Vendor
CVE Published:
4 September 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 3,500🟣 EPSS 57%

What is CVE-2024-45507?

CVE-2024-45507 is a significant vulnerability found in Apache OFBiz, an open-source enterprise resource planning (ERP) suite that facilitates a range of business functions, including e-commerce, manufacturing, and supply chain management. This vulnerability encompasses two main components: Server-Side Request Forgery (SSRF) and improper control of code generation, which can lead to code injection. If exploited, it could have severe implications for organizations, allowing attackers to manipulate server behaviors, gain unauthorized access to internal systems, and potentially execute arbitrary code, thereby compromising sensitive data and systems.

Technical Details

The vulnerability resides in versions of Apache OFBiz prior to 18.12.16. It results from inadequate security controls that fail to properly validate and manage requests made by the server itself. SSRF attacks can enable an attacker to send crafted requests from the server to internal or external resources, exposing additional vulnerabilities. The code injection aspect allows attackers to introduce malicious code, which can then be executed by the server. These combined weaknesses create a potent threat vector for malicious actors seeking to exploit the application.

Impact of the Vulnerability

  1. Unauthorized Access: An attacker could leverage this vulnerability to gain unauthorized access to sensitive information within an organization, such as private customer data, proprietary business processes, and system configurations.

  2. Remote Code Execution: The improper handling of code generation could enable an attacker to execute arbitrary code on the server, leading to full compromise of the affected system and allowing for further malicious activities.

  3. Internal Resource Exposure:Through SSRF, attackers may reach internal services and databases that would otherwise be protected from external access, leading to potential data breaches and the exposure of critical systems.

Affected Version(s)

Apache OFBiz < 18.12.16

References

https://ofbiz.apache.org/download.html
mitigationproductrelease-notes
https://ofbiz.apache.org/security.html
patch
https://issues.apache.org/jira/browse/OFBIZ-13132
issue-tracking

EPSS Score

57% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

ε­™η›Έ (Sun Xiang)
.