CVE-2023-50968

Apache OFBiz: Arbitrary file properties reading and SSRF attack

Description

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

References

Link	Tags
https://ofbiz.apache.org/download.html	mitigation product
https://ofbiz.apache.org/security.html	vendor advisory related
https://ofbiz.apache.org/release-notes-18.12.11.html	release notes
https://issues.apache.org/jira/browse/OFBIZ-12875	patch vendor advisory issue tracking
https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q	vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/12/26/2	third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2023-50968?: CVE-2023-50968 has been scored as a high severity vulnerability.
How to fix CVE-2023-50968?: To fix CVE-2023-50968, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-50968 being actively exploited in the wild?: It is possible that CVE-2023-50968 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~83% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-50968?: CVE-2023-50968 affects Apache Software Foundation Apache OFBiz.

Description

Categories

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-918 – Server-Side Request Forgery (SSRF)

References

Frequently Asked Questions