CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-32113

CVSS 9.8v3.1pub. 2024-05-08upd. 2025-10-23

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from improper verification of file access paths (CWE-22) — the application does not properly restrict access to directories, allowing an attacker to construct a crafted HTTP request containing path traversal sequences (e.g., '../'). In this way, the attacker can exit the allowed application directory and gain access to sensitive operating system files or perform unauthorized operations. The attack does not require authentication, special privileges, or user interaction, which reflects the highest CVSS vector scores.

Impact

An attacker can obtain unauthorized read, write, or execution of files outside the application directory, which may consequently lead to complete system takeover, disclosure of sensitive data, and violation of service integrity and availability.

Mitigation & patch

Apache OFBiz must be immediately updated to version 18.12.13 or later, which eliminates the described vulnerability. Packages are available at https://ofbiz.apache.org/download.html

Who is affected

Apache OFBiz in all versions before 18.12.13

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ofbiz

    APP
    Apache
    < 18.12.13

CISA KEV — detailsi

Vendori
Apache
Producti
OFBiz
Added to KEVi
August 7, 2024
Remediation deadline (US Federal)i
August 28, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 28 sierpnia 2024
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację

CVE-2026-31986CRITICAL9.1PL ✓ten sam produkt

Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego

CVE-2026-41919CRITICAL9.1PL ✓ten sam produkt

LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp

CVE-2026-45434CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła

CVE-2025-54466CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE