CVE-2023-49070

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

Recent assessments:

cbeek-r7 at January 03, 2024 8:34am UTC reported:

CVE-2023-49070 is a critical security vulnerability in Apache OFBiz, a comprehensive open-source enterprise resource planning (ERP) system. This vulnerability is classified as a pre-authentication remote code execution (RCE) issue, primarily stemming from an outdated and no longer maintained XML-RPC component in Apache OFBiz. The specific version affected is 18.12.09, and it is recommended that users upgrade to version 18.12.10 to mitigate the risk

In terms of severity, CVE-2023-49070 has a CVSS v3 Base Score of 9.8, which is considered critical. The CVSS scoring vector for this vulnerability indicates that the vulnerability is network exploitable, requires low attack complexity, no privileges, and no user interaction. It has an impact on confidentiality, integrity, and availability, all rated as high.

Additionally, the Exploit Prediction Scoring System (EPSS) score for CVE-2023-49070 indicates a 50.12% probability of exploitation activity in the next 30 days. ShadowServer is already observing scans being executed by using an available poc for this vulnerability: <https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC&gt;. The patch provided for this vulnerability failed to remove root cause of the issue and it is advised to update again for CVE-2023-51467.(<https://www.openwall.com/lists/oss-security/2023/12/26/3&gt;)

Given its critical nature, high likelihood of exploitation, and the potential for significant impact, it’s essential for organizations using Apache OFBiz to address this vulnerability promptly.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5