← back
CVE-2024-38856

Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code

CVSS 8.1 HIGHEPSS 99.4%● KEVCWE-863
In short

Apache OFBiz allows unauthenticated users to execute screen rendering code on certain endpoints when permission checks are not explicitly enforced. This could let attackers bypass security controls and access or manipulate sensitive functionality without logging in.

Technical detail

CWE-863 (Incorrect Authorization) vulnerability in Apache OFBiz ≤18.12.14 permits unauthenticated access to screen rendering endpoints when screen definitions lack explicit permission validation. Attack vector requires network access to affected endpoints; exploitation occurs when screens rely solely on endpoint configuration for authorization rather than inline checks. Impact includes unauthorized code execution and potential data exposure or system compromise.

Summary generated and translated by AI from the official description.
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products
Apache Software Foundation · Apache OFBiz
public PoCs found8
githubgithub.com/securelayer7/CVE-2024-38856_Scanner49githubgithub.com/0x20c/CVE-2024-38856-EXP9githubgithub.com/Hex00-0x4/CVE-2024-38856-Apache-OFBiz3githubgithub.com/BBD-YZZ/CVE-2024-38856-RCE3githubgithub.com/Ap0dexMe0/CVE-2024-388562githubgithub.com/emanueldosreis/CVE-2024-388561githubgithub.com/AlissonFaoli/Apache-OFBiz-Exploit1githubgithub.com/Praison001/CVE-2024-38856-ApacheOfBiz1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://issues.apache.org/jira/browse/OFBIZ-13128https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7whttps://ofbiz.apache.org/download.htmlhttps://ofbiz.apache.org/security.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856http://www.openwall.com/lists/oss-security/2024/08/04/1