CVE-2024-32113

Warning

EPSS 93.82%
Published 08.05.2024 15:15:10
Last modified 10.03.2025 20:23:37
Source security@apache.org
Teams watchlist Login
Open Login

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.

Users are recommended to upgrade to version 18.12.13, which fixes the issue.

Affected products Warnungen 1 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Ofbiz Version < 18.12.13

07.08.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache OFBiz Path Traversal Vulnerability

Vulnerability

Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.82%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://ofbiz.apache.org/security.html

Patch

https://ofbiz.apache.org/download.html

Product

http://www.openwall.com/lists/oss-security/2024/05/09/1

Mailing List

https://issues.apache.org/jira/browse/OFBIZ-13006

Vendor Advisory

https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-32113

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-32113

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-32113

EUVD