CISA KEV 정보
| 취약점명 | Apache OFBiz Incorrect Authorization Vulnerability |
|---|---|
| 설명 | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. |
| 조치사항 | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-863 |
| 등록일 (KEV) | 2024-08-27 |
| 조치 기한 | 2024-09-17 |
| 추가 참고 | This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w; https://nvd.nist.gov/vuln/detail/CVE-2024-38856 |
NVD 상세 정보
CVSS v3.1: 9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H설명: Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CWE: CWE-863
참조
- https://issues.apache.org/jira/browse/OFBIZ-13128 [Issue Tracking]
- https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w [Mailing List, Vendor Advisory]
- https://ofbiz.apache.org/download.html [Product]
- https://ofbiz.apache.org/security.html [Patch]
- http://www.openwall.com/lists/oss-security/2024/08/04/1 [Mailing List]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856 [Third Party Advisory, US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.