Description

OFBiz allows an unauthenticated attacker to send arbitrary requests to perform lookups on the internal network, which is otherwise inaccessible externally. This feature can be exploited to perform SSRF (Server-Side Request Forgery) attacks, potentially leading to Remote Code Execution (RCE) on the server

Remediation

Upgrade to the latest version of OFBiz

References

Apache OFBiz 18.12.16 released

[CVE-2024-45507] Add validation to screen/script URI to block URL patterns

Related Vulnerabilities

Apache Traffic Server Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Vulnerability (CVE-2021-43082)

Cherokee Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-20798)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-42110)

PHP Other Vulnerability (CVE-2007-2511)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20503)

Severity

Critical

Classification

CVE-2024-45507 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Acumonitor SSRF Known Vulnerabilities