QID 731049

Date Published: 2023-12-27

QID 731049: Apache OFBiz Authentication Bypass Vulnerability

Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Apache OFBiz is vulnerable to authentication bypass vulnerability that may allow a remote attacker to execute arbitrary code.

Affected Versions:
Apache OFBiz version prior to version 18.12.11.

QID Detection Logic :
This QID sends a crafted payload as an HTTP GET request to the 'webtools/control/ping' endpoint and checks if authentication bypass was successful.

Successful exploitation of the vulnerability may allow an unauthenticated remote attacker to execute arbitrary code.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as Critical - 10 severity.
    • Solution
    Vendor has released patch addressing the vulnerability. Customers are advised to upgrade to version 18.12.11 or later. For more information please refer to the Apache OFBiz Security Advisory

    Vendor References

    CVEs related to QID 731049

    CVE-2023-51467 |
    Software Advisories
    Advisory ID Software Component Link
    Apache Security Advisory URL Logo lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].