The Digital Security Authority (DSA) wants to bring to your attention that a vulnerability has been identified in Apache OFBiz allows attackers to remotely execute code on vulnerable systems.
Technical Details
Vulnerability Details:
- Vulnerability: CVE-2024-32113
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.
Affected Software:
Apache OFBiz versions prior to 18.12.13
Impact:
Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Fixed Versions:
- Apache OFBiz Version 18.12.13
Recommendations
The Digital Security Authority recommends to upgrade to fixed version at the earliest.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-32113
- https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd
- https://ofbiz.apache.org/security.html
- https://ofbiz.apache.org/download.html
The information presented in this report is based on available data up to the 18th of May 2024.