CVE-2024-23946 - OpenCVE

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/02/28/9	Mailing List Third Party Advisory
https://issues.apache.org/jira/browse/OFBIZ-12884	Issue Tracking Vendor Advisory
https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g	Vendor Advisory
https://ofbiz.apache.org/download.html	Patch Release Notes
https://ofbiz.apache.org/release-notes-18.12.12.html	Release Notes Vendor Advisory
https://ofbiz.apache.org/security.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2024-02-28T15:44:41.714Z

Updated: 2024-02-28T15:44:41.714Z

Reserved: 2024-01-24T11:56:35.708Z

Link: CVE-2024-23946

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-29T01:44:11.227

Modified: 2024-03-12T17:29:17.243

Link: CVE-2024-23946

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-23946", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-24T11:56:35.708Z", "datePublished": "2024-02-28T15:44:41.714Z", "dateUpdated": "2024-02-28T15:44:41.714Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "18.12.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Arun Shaji from trendmicro.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Possible path traversal in Apache OFBiz allowing file inclusion.<br>Users are recommended to upgrade to version 18.12.12, that fixes the issue."}], "value": "Possible path traversal in Apache OFBiz allowing file inclusion.\nUsers are recommended to upgrade to version 18.12.12, that fixes the issue."}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-28T15:44:41.714Z"}, "references": [{"tags": ["mitigation"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.12.html"}, {"tags": ["issue-tracking"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12884"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/28/9"}], "source": {"advisory": "https://ofbiz.apache.org/security.html", "discovery": "EXTERNAL"}, "title": "Apache OFBiz: Path traversal or file inclusion", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "424FD80B-5374-418B-86EF-12EC573A24E1", "versionEndExcluding": "18.12.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Possible path traversal in Apache OFBiz allowing file inclusion.\nUsers are recommended to upgrade to version 18.12.12, that fixes the issue."}, {"lang": "es", "value": "Posible path traversal en Apache OFBiz permitiendo la inclusi\u00f3n de archivos. Se recomienda a los usuarios actualizar a la versi\u00f3n 18.12.12, que soluciona el problema."}], "id": "CVE-2024-23946", "lastModified": "2024-03-12T17:29:17.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-29T01:44:11.227", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/9"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12884"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g"}, {"source": "security@apache.org", "tags": ["Patch", "Release Notes"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://ofbiz.apache.org/release-notes-18.12.12.html"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}], "source": "security@apache.org", "type": "Primary"}]}