← Back to CVEs

CVE-2024-38856

CRITICALCISA KEV

9.8

Description

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published8/5/2024

Last Modified10/23/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorApache

ProductOFBiz

Vulnerability NameApache OFBiz Incorrect Authorization Vulnerability

KEV Date Added2024-08-27

Remediation Due Date2024-09-17

Ransomware UseUnknown

Affected Products

apache:ofbiz

Weaknesses (CWE)

CWE-863

References

https://issues.apache.org/jira/browse/OFBIZ-13128(security@apache.org)

https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w(security@apache.org)

https://ofbiz.apache.org/download.html(security@apache.org)

https://ofbiz.apache.org/security.html(security@apache.org)

http://www.openwall.com/lists/oss-security/2024/08/04/1(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.