Advisory Details

August 6th, 2024

Apache OFBiz resolveURI Authentication Bypass Vulnerability

ZDI-24-1099
ZDI-CAN-24775

CVE ID CVE-2024-38856
CVSS SCORE 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS Apache
AFFECTED PRODUCTS OFBiz
VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the resolveURI method. The issue results from improper URI validation. An attacker can leverage this vulnerability to bypass authentication on the system.

ADDITIONAL DETAILS Apache has issued an update to correct this vulnerability. More details can be found at:
https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
DISCLOSURE TIMELINE
  • 2024-07-12 - Vulnerability reported to vendor
  • 2024-08-06 - Coordinated public release of advisory
  • 2024-08-15 - Advisory Updated
CREDIT Nicholas Zubrisky (@NZubrisky) of Trend Micro Security Research
BACK TO ADVISORIES