9.1
CRITICAL
CVE-2024-36104
Apache OFBiz Path Traversal Vulnerability
Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

INFO

Published Date :

June 4, 2024, 8:15 a.m.

Last Modified :

Nov. 21, 2024, 9:21 a.m.

Remotely Exploitable :

Yes !

Impact Score :

5.2

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-36104 has a 17 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-36104 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache ofbiz

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

A curated collection of Proof of Concept (PoC) tools, scripts, and techniques designed for red team operations, penetration testing, and cybersecurity research. This repository focuses on providing practical resources for exploring vulnerabilities

attack cybersecurity exp hw penetration-testing poc red-team security-tools vulnerability-poc

Updated: 1 week, 6 days ago
0 stars 2 fork 2 watcher
Born at : Nov. 17, 2024, 11:53 a.m. This repo has been linked 414 different CVEs too.

这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目

HTML

Updated: 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Sept. 20, 2024, 3:27 a.m. This repo has been linked 210 different CVEs too.

None

Updated: 2 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Sept. 9, 2024, 1:28 a.m. This repo has been linked 128 different CVEs too.

None

HTML

Updated: 2 months, 1 week ago
2 stars 1 fork 1 watcher
Born at : Sept. 4, 2024, 9:24 a.m. This repo has been linked 128 different CVEs too.

None

HTML

Updated: 1 week, 5 days ago
6 stars 0 fork 0 watcher
Born at : Aug. 2, 2024, 6:07 a.m. This repo has been linked 123 different CVEs too.

None

Updated: 5 months, 2 weeks ago
2 stars 0 fork 0 watcher
Born at : June 17, 2024, 7:57 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 2 weeks ago
4 stars 0 fork 0 watcher
Born at : June 14, 2024, 6:54 a.m. This repo has been linked 95 different CVEs too.

Apache OFBIZ Path traversal leading to RCE POC[CVE-2024-32113 & CVE-2024-36104]

apache cve cve-2024 ofbiz rce rce-exploit cve-2024-32113 poc cve-2024-36104

Updated: 2 weeks ago
24 stars 8 fork 8 watcher
Born at : June 3, 2024, 3:57 p.m. This repo has been linked 2 different CVEs too.

nuclei templates

Updated: 1 month ago
1 stars 4 fork 4 watcher
Born at : May 8, 2024, 5:41 a.m. This repo has been linked 7 different CVEs too.

None

HTML Python

Updated: 5 months, 1 week ago
13 stars 1 fork 1 watcher
Born at : April 17, 2024, 8:46 a.m. This repo has been linked 100 different CVEs too.

Apache OfBiz vulns

Updated: 5 days, 2 hours ago
8 stars 2 fork 2 watcher
Born at : April 10, 2024, 1:22 p.m. This repo has been linked 3 different CVEs too.

nuclei templates, poc/exp

Updated: 4 months ago
30 stars 4 fork 4 watcher
Born at : Feb. 4, 2024, 2:40 a.m. This repo has been linked 7 different CVEs too.

收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了1300多个poc/exp,长期更新。

poc

Updated: 2 days, 19 hours ago
4250 stars 867 fork 867 watcher
Born at : Aug. 19, 2023, 12:08 p.m. This repo has been linked 159 different CVEs too.

一个CVE漏洞预警知识库 no exp/poc

Updated: 2 weeks, 6 days ago
95 stars 11 fork 11 watcher
Born at : Jan. 5, 2023, 2:19 a.m. This repo has been linked 133 different CVEs too.

学而不思则罔,思而不学则殆💦

pentesting pentration-testing

Updated: 1 month, 2 weeks ago
36 stars 3 fork 3 watcher
Born at : April 3, 2022, 10 a.m. This repo has been linked 62 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-36104 vulnerability anywhere in the article.

  • TheCyberThrone
Apache OFBiz Vulnerability CVE-2024-45195 actively exploited

Apache OFBiz has got a security update for a flaw CVE-2024-45195 with a CVSS score of 7.5 that  allows attackers to bypass authorization checks and execute arbitrary code on the server, even without v ... Read more

Published Date: Sep 13, 2024 (2 months, 3 weeks ago)
  • Cybersecurity News
Hackers target Apache OFBiz RCE flaw CVE-2024-45195 after PoC exploit released

Image: Rapid7According to a report from Imperva, over 25,000 malicious requests targeting 4,000 unique sites have been detected since the CVE-2024-45195 vulnerability in Apache OFBiz was disclosed. Th ... Read more

Published Date: Sep 13, 2024 (2 months, 3 weeks ago)
  • security.nl
Apache verhelpt kritieke RCE-kwetsbaarheid in ERP-oplossing OFBiz

Apache heeft een kritieke kwetsbaarheid in ERP-oplossing OFBiz verholpen waardoor een ongeauthenticeerde aanvaller op afstand code op het ERP-systeem kan uitvoeren. Onlangs werden twee andere beveilig ... Read more

Published Date: Sep 06, 2024 (2 months, 4 weeks ago)
  • The Cyber Express
Critical RCE Vulnerability Patched in Apache OFBiz (CVE-2024-45195)

Popular open-source enterprise Resource Planning (ERP) system, Apache OFBiz, recently discovered harboring a critical Remote Code Execution (RCE) vulnerability. Tracked as CVE-2024-45195, the Apache O ... Read more

Published Date: Sep 06, 2024 (2 months, 4 weeks ago)
  • Help Net Security
Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)

For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code ... Read more

Published Date: Sep 06, 2024 (2 months, 4 weeks ago)
  • The Hacker News
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution

Cybersecurity / Vulnerability A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenti ... Read more

Published Date: Sep 06, 2024 (2 months, 4 weeks ago)
  • BleepingComputer
Apache fixes critical OFBiz remote code execution vulnerability

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. ... Read more

Published Date: Sep 05, 2024 (2 months, 4 weeks ago)
  • Dark Reading
Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges

Source: tofino via Alamy Stock PhotoCISA has added a critical security flaw in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catal ... Read more

Published Date: Aug 29, 2024 (3 months ago)
  • The Cyber Express
Critical Apache OFBiz Vulnerability CVE-2024-38856 Identified and Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a security vulnerability affecting Apache OFBiz, the open-source enterprise resource planning (ERP) system. This Apache OFB ... Read more

Published Date: Aug 28, 2024 (3 months, 1 week ago)
  • The Hacker News
CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports

Software Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource ... Read more

Published Date: Aug 28, 2024 (3 months, 1 week ago)
  • Cybersecurity News
Microsoft Signals End of an Era: Control Panel to be Phased Out

After over a decade of speculation, Microsoft has officially confirmed that the traditional Control Panel, a cornerstone of Windows system management for nearly three decades, is set to be deprecated ... Read more

Published Date: Aug 22, 2024 (3 months, 1 week ago)
  • Cybersecurity News
CVE-2024-21689: RCE Vulnerability in Atlassian Bamboo Data Center and Server

Atlassian, a global leader in software development tools, has issued a security advisory for its Bamboo Data Center and Server products, highlighting a high-severity Remote Code Execution (RCE) vulner ... Read more

Published Date: Aug 21, 2024 (3 months, 2 weeks ago)
  • Cybersecurity News
CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites

A critical security flaw (CVE-2024-5932) in the popular GiveWP WordPress plugin has left over 100,000 websites vulnerable to remote code execution and unauthorized file deletion. This vulnerability, s ... Read more

Published Date: Aug 20, 2024 (3 months, 2 weeks ago)
  • TheCyberThrone
Apache Cloudstack fixes CVE-2024-42062 & CVE-2024-42222

Apache CloudStack project has released patches for  addressing  two critical vulnerabilities, that could allow attackers to gain unauthorized access to sensitive information and compromise the integri ... Read more

Published Date: Aug 08, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
PoC Exploit Released for Apache OFBiz Remote Code Execution Flaw (CVE-2024-38856)

Today, cybersecurity researcher Zeyad Azima from SecureLayer7 and Youssef Muhammad have published a proof-of-concept (PoC) exploit code for a critical vulnerability (CVE-2024-38856) in the Apache OFBi ... Read more

Published Date: Aug 08, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
CVE-2024-43044: Critical Jenkins Vulnerability Exposes Servers to RCE Attacks

Today, Jenkins, the popular open-source automation server, has issued an urgent advisory detailing two vulnerabilities, one with a critical severity rating. These vulnerabilities, identified as CVE-20 ... Read more

Published Date: Aug 07, 2024 (3 months, 3 weeks ago)
  • Cyber Security News
Apache OFBiz Zero-Day Vulnerability Let Attackers Execute Remote Code

A critical zero-day vulnerability in Apache OFBiz, an open-source enterprise resource planning (ERP) system, has been discovered that could allow unauthenticated attackers to execute arbitrary code re ... Read more

Published Date: Aug 06, 2024 (3 months, 4 weeks ago)
  • The Hacker News
New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution

Enterprise Security / Vulnerability A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system t ... Read more

Published Date: Aug 06, 2024 (3 months, 4 weeks ago)
  • Help Net Security
Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856)

CVE-2024-38856, an incorrect authorization vulnerability affecting all but the latest version of Apache OFBiz, may be exploited by remote, unauthenticated attackers to execute arbitrary code on vulner ... Read more

Published Date: Aug 05, 2024 (3 months, 4 weeks ago)

The following table lists the changes that have been made to the CVE-2024-36104 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/06/03/1
    Added Reference https://issues.apache.org/jira/browse/OFBIZ-13092
    Added Reference https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o
    Added Reference https://ofbiz.apache.org/download.html
    Added Reference https://ofbiz.apache.org/security.html
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jul. 03, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVE Modified by [email protected]

    Jun. 10, 2024

    Action Type Old Value New Value
    Added Reference Apache Software Foundation http://www.openwall.com/lists/oss-security/2024/06/03/1 [No types assigned]
  • CVE Received by [email protected]

    Jun. 04, 2024

    Action Type Old Value New Value
    Added Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.
    Added Reference Apache Software Foundation https://ofbiz.apache.org/download.html [No types assigned]
    Added Reference Apache Software Foundation https://ofbiz.apache.org/security.html [No types assigned]
    Added Reference Apache Software Foundation https://issues.apache.org/jira/browse/OFBIZ-13092 [No types assigned]
    Added Reference Apache Software Foundation https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o [No types assigned]
    Added CWE Apache Software Foundation CWE-22
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-36104 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability