CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-38856

CVSS 9.8v3.1pub. 2024-08-05upd. 2025-10-23

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ofbiz

    APP
    Apache
    < 18.12.15

CISA KEV — detailsi

Vendori
Apache
Producti
OFBiz
Added to KEVi
August 27, 2024
Remediation deadline (US Federal)i
September 17, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 17 września 2024
CWE
References

Related vulnerabilities

CVE-2024-32113CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu

CVE-2026-31986CRITICAL9.1PL ✓ten sam produkt

Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego

CVE-2026-45434CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła

CVE-2026-41919CRITICAL9.1PL ✓ten sam produkt

LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp

CVE-2025-54466CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE