Description
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/11/16/3
Product mitigation
product
release-notes
https://ofbiz.apache.org/download.html
Vendor Advisory patch
https://ofbiz.apache.org/security.html
Issue Tracking issue-tracking
https://issues.apache.org/jira/browse/OFBIZ-13158
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11
Scores
CVSS v3
9.8
EPSS
0.0097
EPSS Percentile
76.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-918
CWE-94
Status
published
Products (1)
apache/ofbiz
< 18.12.17
Published
Nov 18, 2024
Tracked Since
Feb 18, 2026