oss-sec mailing list archives

CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability

From: Deepak Dixit <deepak () apache org>
Date: Tue, 26 Dec 2023 12:02:12 +0000

Severity: critical

Affected versions:

- Apache OFBiz before 18.12.11

Description:

The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)

This issue is being tracked as OFBIZ-12873 

Credit:

Hasib Vhora, Senior Threat Researcher, SonicWall  (finder)
Gao Tian (finder)
L0ne1y (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://ofbiz.apache.org/release-notes-18.12.11.html
https://issues.apache.org/jira/browse/OFBIZ-12873
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51467
https://issues.apache.org/jira/browse/OFBIZ-12873

Current thread:

CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability Deepak Dixit (Dec 26)