← Zuruck zu CVEs

CVE-2024-38856

CRITICALCISA KEV

9.8

Beschreibung

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht8/5/2024

Zuletzt geandert10/23/2025

Quellekev

Honeypot-Sichtungen0

CISA KEV

HerstellerApache

ProduktOFBiz

SchwachstellennameApache OFBiz Incorrect Authorization Vulnerability

KEV Aufnahmedatum2024-08-27

Behebungsfrist2024-09-17

Ransomware-NutzungUnknown

Betroffene Produkte

apache:ofbiz

Schwachen (CWE)

CWE-863

Referenzen

https://issues.apache.org/jira/browse/OFBIZ-13128(security@apache.org)

https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w(security@apache.org)

https://ofbiz.apache.org/download.html(security@apache.org)

https://ofbiz.apache.org/security.html(security@apache.org)

http://www.openwall.com/lists/oss-security/2024/08/04/1(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.