Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations.
The same uri can be operated to realize a SSRF attack also without authorizations.
Users are recommended to upgrade to version 18.12.11, which fixes this issue.
CVE-2023-50968 - High Severity Vulnerability
Vulnerable Libraries - ofbizbeforeSvnRestructuring, ofbizbeforeSvnRestructuring
Vulnerability Details
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
Publish Date: 2023-12-26
URL: CVE-2023-50968
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q4/336
Release Date: 2023-12-26
Fix Resolution: 18.12.11, 22.01.01
Step up your Open Source Security Game with Mend here