OpenCVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/05/09/1
https://issues.apache.org/jira/browse/OFBIZ-13006
https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd
https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html

History

Thu, 08 Aug 2024 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache ofbiz
CPEs		cpe:2.3:a:apache:ofbiz::::::::
Vendors & Products		Apache Apache ofbiz
Metrics	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-05-08T14:50:07.272Z

Updated: 2024-08-08T03:55:22.955Z

Reserved: 2024-04-11T06:42:13.766Z

Link: CVE-2024-32113

Vulnrichment

Updated: 2024-08-02T02:06:44.061Z

NVD

Status : Analyzed

Published: 2024-05-08T15:15:10.227

Modified: 2024-08-08T13:38:57.533

Link: CVE-2024-32113

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32113", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-04-11T06:42:13.766Z", "datePublished": "2024-05-08T14:50:07.272Z", "dateUpdated": "2024-08-08T03:55:22.955Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "18.12.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Qiyi Zhang (RacerZ) @secsys from Fudan"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.<p>This issue affects Apache OFBiz: before 18.12.13.</p><p>Users are recommended to upgrade to version 18.12.13, which fixes the issue.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-08T14:50:07.272Z"}, "references": [{"tags": ["mitigation"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["issue-tracking"], "url": "https://issues.apache.org/jira/browse/OFBIZ-13006"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache OFBiz: Path traversal leading to RCE", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "ofbiz", "cpes": ["cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "18.12.13", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-32113"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-08-07", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T03:55:22.955Z"}, "timeline": [{"time": "2024-08-07T00:00:00+00:00", "lang": "en", "value": "CVE-2024-32113 added to CISA KEV"}]}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:44.061Z"}, "title": "CVE Program Container", "references": [{"tags": ["mitigation", "x_transferred"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related", "x_transferred"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://issues.apache.org/jira/browse/OFBIZ-13006"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://ofbiz.apache.org/download.html", "tags": ["mitigation", "x_transferred"]}, {"url": "https://ofbiz.apache.org/security.html", "tags": ["related", "x_transferred"]}, {"url": "https://issues.apache.org/jira/browse/OFBIZ-13006", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:44.061Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-32113", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-07T14:34:32.255379Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-08-07", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "ofbiz", "versions": [{"status": "affected", "version": "0", "lessThan": "18.12.13", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-08T17:23:43.528Z"}, "timeline": [{"lang": "en", "time": "2024-08-07T00:00:00+00:00", "value": "CVE-2024-32113 added to CISA KEV"}]}], "cna": {"title": "Apache OFBiz: Path traversal leading to RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Qiyi Zhang (RacerZ) @secsys from Fudan"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache OFBiz", "versions": [{"status": "affected", "version": "0", "lessThan": "18.12.13", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://ofbiz.apache.org/download.html", "tags": ["mitigation"]}, {"url": "https://ofbiz.apache.org/security.html", "tags": ["related"]}, {"url": "https://issues.apache.org/jira/browse/OFBIZ-13006", "tags": ["issue-tracking"]}, {"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.<p>This issue affects Apache OFBiz: before 18.12.13.</p><p>Users are recommended to upgrade to version 18.12.13, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-08T14:50:07.272Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32113", "state": "PUBLISHED", "dateUpdated": "2024-08-08T03:55:22.955Z", "dateReserved": "2024-04-11T06:42:13.766Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-05-08T14:50:07.272Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-08-28", "cisaExploitAdd": "2024-08-07", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Apache OFBiz Path Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "B182D3A9-6FB2-4EE7-B053-BEA62755FC9D", "versionEndExcluding": "18.12.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\n\n"}, {"lang": "es", "value": "Limitaci\u00f3n inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido (\"Path Traversal\") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versi\u00f3n 18.12.13, que soluciona el problema."}], "id": "CVE-2024-32113", "lastModified": "2024-08-08T13:38:57.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-08T15:15:10.227", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/OFBIZ-13006"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"}, {"source": "security@apache.org", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "security@apache.org", "tags": ["Patch"], "url": "https://ofbiz.apache.org/security.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@apache.org", "type": "Primary"}]}