CVE-2024-32113

Warnung

EPSS 93.82%
Veröffentlicht 08.05.2024 15:15:10
Zuletzt bearbeitet 10.03.2025 20:23:37
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.

Users are recommended to upgrade to version 18.12.13, which fixes the issue.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Ofbiz Version < 18.12.13

07.08.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache OFBiz Path Traversal Vulnerability

Schwachstelle

Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.82%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://ofbiz.apache.org/security.html

Patch

https://ofbiz.apache.org/download.html

Product

http://www.openwall.com/lists/oss-security/2024/05/09/1

Mailing List

https://issues.apache.org/jira/browse/OFBIZ-13006

Vendor Advisory

https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-32113

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-32113

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-32113

EUVD