In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
CVE-2018-8033 - High Severity Vulnerability
Vulnerable Library - ofbizbeforeSvnRestructuring
Apache OFBiz - Main development has moved to the ofbiz-frameworks repository.
Library home page: https://github.com/apache/ofbiz.git
Found in HEAD commit: 9f6ed39589395d00f1d69228cb50a7987ba11512
Found in base branch: trunk
Vulnerable Source Files (1)
/webapp/event/XmlRpcEventHandler.java
Vulnerability Details
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
Publish Date: 2018-12-13
URL: CVE-2018-8033
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8033
Fix Resolution: REL-16.11.04
Step up your Open Source Security Game with Mend here