Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations.
The same uri can be operated to realize a SSRF attack also without authorizations.
Users are recommended to upgrade to version 18.12.11, which fixes this issue.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/12/26/2 | Mailing List Third Party Advisory |
https://issues.apache.org/jira/browse/OFBIZ-12875 | Issue Tracking Patch Vendor Advisory |
https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q | Mailing List Vendor Advisory |
https://ofbiz.apache.org/download.html | Product |
https://ofbiz.apache.org/release-notes-18.12.11.html | Release Notes |
https://ofbiz.apache.org/security.html | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-12-26T11:45:55.393Z
Updated: 2023-12-26T11:45:55.393Z
Reserved: 2023-12-17T12:58:11.842Z
Link: CVE-2023-50968
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-26T12:15:07.287
Modified: 2024-01-04T03:01:53.323
Link: CVE-2023-50968
JSON object: View
Redhat Information
No data.