CVE-2023-49070 - OpenCVE

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html
https://issues.apache.org/jira/browse/OFBIZ-12812	Issue Tracking Patch
https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3	Mailing List
https://ofbiz.apache.org/download.html	Product
https://ofbiz.apache.org/release-notes-18.12.10.html	Release Notes
https://ofbiz.apache.org/security.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-12-05T08:05:06.966Z

Updated: 2023-12-05T08:05:06.966Z

Reserved: 2023-11-21T12:04:43.559Z

Link: CVE-2023-49070

JSON object: View

NVD Information

Status : Modified

Published: 2023-12-05T08:15:07.443

Modified: 2023-12-29T18:15:39.103

Link: CVE-2023-49070

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-49070", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-11-21T12:04:43.559Z", "datePublished": "2023-12-05T08:05:06.966Z", "dateUpdated": "2023-12-05T08:05:06.966Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "18.12.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Siebene@"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nPre-auth RCE in Apache Ofbiz 18.12.09.<br><br>It's due to XML-RPC <span style=\"background-color: rgb(255, 255, 255);\">no longer maintained</span> still present.<br><p>This issue affects Apache OFBiz: before 18.12.10. <br><span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 18.12.10</span></p>\n\n"}], "value": "\nPre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC\u00a0no longer maintained\u00a0still present.\nThis issue affects Apache OFBiz: before 18.12.10.\u00a0\nUsers are recommended to upgrade to version 18.12.10\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-12-05T08:05:06.966Z"}, "references": [{"tags": ["mitigation"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"tags": ["issue-tracking"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}], "source": {"defect": ["OFBIZ-12812"], "discovery": "EXTERNAL"}, "title": "Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "10BDFE5A-6BD0-4A4B-A60F-2463D923FE93", "versionEndExcluding": "18.12.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nPre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC\u00a0no longer maintained\u00a0still present.\nThis issue affects Apache OFBiz: before 18.12.10.\u00a0\nUsers are recommended to upgrade to version 18.12.10\n\n"}, {"lang": "es", "value": "RCE de autorizaci\u00f3n previa en Apache Ofbiz 18.12.09. Se debe a que XML-RPC ya no se mantiene presente. Este problema afecta a Apache OFBiz: antes del 18.12.10. Se recomienda a los usuarios actualizar a la versi\u00f3n 18.12.10"}], "id": "CVE-2023-49070", "lastModified": "2023-12-29T18:15:39.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T08:15:07.443", "references": [{"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"source": "security@apache.org", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "security@apache.org", "tags": ["Release Notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Primary"}]}