Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
The vulnerability stems from improper code generation control (CWE-94), which enables injection and execution of malicious code on the server side. The vulnerability is network-accessible without requiring authentication, and its exploitation does not require any user interaction. The flaw only affects installations where the scrum plugin is active.
An attacker can gain full control over the server — compromising confidentiality, integrity, and availability of the system, which in practice means the ability to steal data, modify resources, or completely disable the application.
Apache OFBiz must be updated immediately to version 24.09.02 or newer. If immediate update is not possible, consider disabling the scrum plugin until the patch is applied.
Apache OFBiz versions prior to 24.09.02, only when the scrum plugin is active.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Ofbiz
APPApache< 24.09.02
Related vulnerabilities
Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację
Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu
LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp
Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego
Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła