CVE-2024-45195
Apache OFBiz: Confused controller-view authorization logic (forced browsing)
In short
Apache OFBiz has a vulnerability that allows attackers to bypass authorization checks and access restricted pages directly by crafting specific requests, even without proper permissions.
Technical detail
A forced browsing vulnerability in Apache OFBiz's controller-view authorization logic (CWE-425) allows unauthenticated or unprivileged attackers to directly request restricted resources by circumventing authorization controls. The vulnerability exists in versions prior to 18.12.16 and can be exploited through direct HTTP requests to protected endpoints, resulting in unauthorized access to sensitive functionality or data.
Summary generated and translated by AI from the official description.
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache OFBizpublic PoCs found — 1
githubgithub.com/wyyazjjl/CVE-2024-45195★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://issues.apache.org/jira/browse/OFBIZ-13130https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wyhttps://ofbiz.apache.org/download.htmlhttps://ofbiz.apache.org/security.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195http://www.openwall.com/lists/oss-security/2024/09/03/6