CRITICAL🇵🇱 Wersja polska

CVE-2025-54466

CVSS 9.8v3.1pub. 2025-08-15upd. 2025-11-04

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability stems from improper code generation control (CWE-94), which enables injection and execution of malicious code on the server side. The vulnerability is network-accessible without requiring authentication, and its exploitation does not require any user interaction. The flaw only affects installations where the scrum plugin is active.

Impact

An attacker can gain full control over the server — compromising confidentiality, integrity, and availability of the system, which in practice means the ability to steal data, modify resources, or completely disable the application.

Mitigation & patch

Apache OFBiz must be updated immediately to version 24.09.02 or newer. If immediate update is not possible, consider disabling the scrum plugin until the patch is applied.

Who is affected

Apache OFBiz versions prior to 24.09.02, only when the scrum plugin is active.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ofbiz

    APP
    Apache
    < 24.09.02
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację

CVE-2024-32113CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu

CVE-2026-41919CRITICAL9.1PL ✓ten sam produkt

LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp

CVE-2026-31986CRITICAL9.1PL ✓ten sam produkt

Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego

CVE-2026-45434CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła