9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.591 Medium
EPSS
Percentile
97.4%
Pre-auth RCE in Apache Ofbiz 18.12.09.
It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10
Recent assessments:
cbeek-r7 at January 03, 2024 8:34am UTC reported:
CVE-2023-49070 is a critical security vulnerability in Apache OFBiz, a comprehensive open-source enterprise resource planning (ERP) system. This vulnerability is classified as a pre-authentication remote code execution (RCE) issue, primarily stemming from an outdated and no longer maintained XML-RPC component in Apache OFBiz. The specific version affected is 18.12.09, and it is recommended that users upgrade to version 18.12.10 to mitigate the risk
In terms of severity, CVE-2023-49070 has a CVSS v3 Base Score of 9.8, which is considered critical. The CVSS scoring vector for this vulnerability indicates that the vulnerability is network exploitable, requires low attack complexity, no privileges, and no user interaction. It has an impact on confidentiality, integrity, and availability, all rated as high.
Additionally, the Exploit Prediction Scoring System (EPSS) score for CVE-2023-49070 indicates a 50.12% probability of exploitation activity in the next 30 days. ShadowServer is already observing scans being executed by using an available poc for this vulnerability: <https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC>. The patch provided for this vulnerability failed to remove root cause of the issue and it is advised to update again for CVE-2023-51467.(<https://www.openwall.com/lists/oss-security/2023/12/26/3>)
Given its critical nature, high likelihood of exploitation, and the potential for significant impact, it’s essential for organizations using Apache OFBiz to address this vulnerability promptly.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49070
github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC
issues.apache.org/jira/browse/OFBIZ-12812
lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3
ofbiz.apache.org/download.html
ofbiz.apache.org/release-notes-18.12.10.html
ofbiz.apache.org/security.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.591 Medium
EPSS
Percentile
97.4%