Apache OFBiz 18.12.09 Remote Code Execution

2023.12.31

Credit: Jacques Leroux

Risk: High

Local: No

Remote: Yes

CVE: CVE-2023-49070

CWE: N/A

From: Jacques Le Roux <jleroux () apache org>
Date: Mon, 04 Dec 2023 21:04:50 +0000

Severity: moderate

Affected versions:

- Apache OFBiz before 18.12.10

Description:

Pre-auth RCE in Apache Ofbiz 18.12.09.

It's due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10. 
Users are recommended to upgrade to version 18.12.10

This issue is being tracked as OFBIZ-12812 

Credit:

Siebene@ (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://ofbiz.apache.org/release-notes-18.12.10.html
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-49070
https://issues.apache.org/jira/browse/OFBIZ-12812


-----
Packet Storm Note
Below is the proof of concept circulating on twitter:

#POC: 
/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache OFBiz 18.12.09 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.