CVE-2024-45195

Warning

EPSS 94.13%
Published 04.09.2024 09:15:04
Last modified 06.03.2025 19:48:51
Source security@apache.org
Teams watchlist Login
Open Login

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 18.12.16.

Users are recommended to upgrade to version 18.12.16, which fixes the issue.

Affected products Warnungen 1 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Ofbiz Version < 18.12.16

04.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache OFBiz Forced Browsing Vulnerability

Vulnerability

Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.13%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

https://ofbiz.apache.org/security.html

Vendor Advisory

https://ofbiz.apache.org/download.html

Product

https://issues.apache.org/jira/browse/OFBIZ-13130

Vendor Advisory

Issue Tracking

https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy

Vendor Advisory

http://www.openwall.com/lists/oss-security/2024/09/03/6

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45195

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45195

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45195

EUVD