Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
The vulnerability results from improper verification of file access paths (CWE-22) — the application does not properly restrict access to directories, allowing an attacker to construct a crafted HTTP request containing path traversal sequences (e.g., '../'). In this way, the attacker can exit the allowed application directory and gain access to sensitive operating system files or perform unauthorized operations. The attack does not require authentication, special privileges, or user interaction, which reflects the highest CVSS vector scores.
An attacker can obtain unauthorized read, write, or execution of files outside the application directory, which may consequently lead to complete system takeover, disclosure of sensitive data, and violation of service integrity and availability.
Apache OFBiz must be immediately updated to version 18.12.13 or later, which eliminates the described vulnerability. Packages are available at https://ofbiz.apache.org/download.html
Apache OFBiz in all versions before 18.12.13
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Ofbiz
APPApache< 18.12.13
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- OFBiz
- Added to KEVi
- August 7, 2024
- Remediation deadline (US Federal)i
- August 28, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.
Related vulnerabilities
Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację
Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego
LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp
Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła
Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE