CVE-2023-46819 - Vulnerability Details - OpenCVE

Description

Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.
This issue affects Apache OFBiz: before 18.12.09.

Users are recommended to upgrade to version 18.12.09

Published: 2023-11-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache OFBiz

affected

Version	Status	Constraints
`0`	affected	< 18.12.09

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-50985	Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00299.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99
https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/release-notes-18.12.09.html
https://ofbiz.apache.org/security.html

History

No history.

Subscriptions

Apache Ofbiz

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-11-07T11:02:03.305Z

Updated: 2024-09-04T19:09:30.869Z

Reserved: 2023-10-27T07:20:50.849Z

Link: CVE-2023-46819

Vulnrichment

Updated: 2024-08-02T20:53:21.883Z

NVD

Status : Modified

Published: 2023-11-07T11:15:10.937

Modified: 2024-11-21T08:29:22.603

Link: CVE-2023-46819

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-306

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46819", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-10-27T07:20:50.849Z", "datePublished": "2023-11-07T11:02:03.305Z", "dateUpdated": "2024-09-04T19:09:30.869Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "18.12.09", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Anonymous by demand"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.<br><p>This issue affects Apache OFBiz: before 18.12.09. \n\n<span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 18.12.09</span></p>"}], "value": "Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.\nThis issue affects Apache OFBiz: before 18.12.09.\u00a0\n\nUsers are recommended to upgrade to version 18.12.09\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-10T08:04:39.492Z"}, "references": [{"tags": ["mitigation"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.09.html"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache OFBiz: Execution of Solr plugin queries without authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.883Z"}, "title": "CVE Program Container", "references": [{"tags": ["mitigation", "x_transferred"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related", "x_transferred"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes", "x_transferred"], "url": "https://ofbiz.apache.org/release-notes-18.12.09.html"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T19:08:46.622717Z", "id": "CVE-2023-46819", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T19:09:30.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://ofbiz.apache.org/download.html", "tags": ["mitigation", "x_transferred"]}, {"url": "https://ofbiz.apache.org/security.html", "tags": ["related", "x_transferred"]}, {"url": "https://ofbiz.apache.org/release-notes-18.12.09.html", "tags": ["release-notes", "x_transferred"]}, {"url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.883Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-46819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T19:08:46.622717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T19:09:23.759Z"}}], "cna": {"title": "Apache OFBiz: Execution of Solr plugin queries without authentication", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Anonymous by demand"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache OFBiz", "versions": [{"status": "affected", "version": "0", "lessThan": "18.12.09", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://ofbiz.apache.org/download.html", "tags": ["mitigation"]}, {"url": "https://ofbiz.apache.org/security.html", "tags": ["related"]}, {"url": "https://ofbiz.apache.org/release-notes-18.12.09.html", "tags": ["release-notes"]}, {"url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.\nThis issue affects Apache OFBiz: before 18.12.09.\u00a0\n\nUsers are recommended to upgrade to version 18.12.09\n\n", "supportingMedia": [{"type": "text/html", "value": "Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.<br><p>This issue affects Apache OFBiz: before 18.12.09. \n\n<span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 18.12.09</span></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-10T08:04:39.492Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46819", "state": "PUBLISHED", "dateUpdated": "2024-09-04T19:09:30.869Z", "dateReserved": "2023-10-27T07:20:50.849Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-11-07T11:02:03.305Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "232A3660-508C-40BE-806D-5B2EAC0D9950", "versionEndExcluding": "18.12.09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.\nThis issue affects Apache OFBiz: before 18.12.09.\u00a0\n\nUsers are recommended to upgrade to version 18.12.09\n\n"}, {"lang": "es", "value": "Falta autenticaci\u00f3n en Apache Software Foundation Apache OFBiz cuando se usa el complemento Solr. Este problema afecta a Apache OFBiz: antes del 18.12.09. Se recomienda a los usuarios actualizar a la versi\u00f3n 18.12.09"}], "id": "CVE-2023-46819", "lastModified": "2024-11-21T08:29:22.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-11-07T11:15:10.937", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99"}, {"source": "security@apache.org", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "security@apache.org", "tags": ["Release Notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.09.html"}, {"source": "security@apache.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.09.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@apache.org", "type": "Secondary"}]}