'[oss-security] CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack
From:       Nicolas Malin <nmalin () apache ! org>
Date:       2023-12-26 10:17:25
Message-ID: 58d8d5e1-bb9d-afb1-7606-593067da71fb () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache OFBiz through 18.12.10

Description:

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when \
user operates an uri call without authorizations.

The same uri can be operated to realize a SSRF attack also  without  authorizations.

Users are recommended to upgrade to version 18.12.11, which fixes this issue.

Credit:

Yun Peng - 郭 运鹏 <puata123@outlook.com> (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://ofbiz.apache.org/release-notes-18.12.11.html
https://issues.apache.org/jira/browse/OFBIZ-12875
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50968

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic