CVE-2024-36104
Apache OFBiz Path Traversal Vulnerability
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.
INFO
Published Date :
June 4, 2024, 8:15 a.m.
Last Modified :
Nov. 21, 2024, 9:21 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.2
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2024-36104 has a 17 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-36104
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A curated collection of Proof of Concept (PoC) tools, scripts, and techniques designed for red team operations, penetration testing, and cybersecurity research. This repository focuses on providing practical resources for exploring vulnerabilities
attack cybersecurity exp hw penetration-testing poc red-team security-tools vulnerability-poc
这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目
HTML
None
None
HTML
None
HTML
None
None
Apache OFBIZ Path traversal leading to RCE POC[CVE-2024-32113 & CVE-2024-36104]
apache cve cve-2024 ofbiz rce rce-exploit cve-2024-32113 poc cve-2024-36104
nuclei templates
None
HTML Python
Apache OfBiz vulns
nuclei templates, poc/exp
收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了1300多个poc/exp,长期更新。
poc
一个CVE漏洞预警知识库 no exp/poc
学而不思则罔,思而不学则殆💦
pentesting pentration-testing
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-36104
vulnerability anywhere in the article.
- TheCyberThrone
Apache OFBiz Vulnerability CVE-2024-45195 actively exploited
Apache OFBiz has got a security update for a flaw CVE-2024-45195 with a CVSS score of 7.5 that allows attackers to bypass authorization checks and execute arbitrary code on the server, even without v ... Read more
- Cybersecurity News
Hackers target Apache OFBiz RCE flaw CVE-2024-45195 after PoC exploit released
Image: Rapid7According to a report from Imperva, over 25,000 malicious requests targeting 4,000 unique sites have been detected since the CVE-2024-45195 vulnerability in Apache OFBiz was disclosed. Th ... Read more
- security.nl
Apache verhelpt kritieke RCE-kwetsbaarheid in ERP-oplossing OFBiz
Apache heeft een kritieke kwetsbaarheid in ERP-oplossing OFBiz verholpen waardoor een ongeauthenticeerde aanvaller op afstand code op het ERP-systeem kan uitvoeren. Onlangs werden twee andere beveilig ... Read more
- The Cyber Express
Critical RCE Vulnerability Patched in Apache OFBiz (CVE-2024-45195)
Popular open-source enterprise Resource Planning (ERP) system, Apache OFBiz, recently discovered harboring a critical Remote Code Execution (RCE) vulnerability. Tracked as CVE-2024-45195, the Apache O ... Read more
- Help Net Security
Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code ... Read more
- The Hacker News
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
Cybersecurity / Vulnerability A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenti ... Read more
- BleepingComputer
Apache fixes critical OFBiz remote code execution vulnerability
Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. ... Read more
- Dark Reading
Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges
Source: tofino via Alamy Stock PhotoCISA has added a critical security flaw in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catal ... Read more
- The Cyber Express
Critical Apache OFBiz Vulnerability CVE-2024-38856 Identified and Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a security vulnerability affecting Apache OFBiz, the open-source enterprise resource planning (ERP) system. This Apache OFB ... Read more
- The Hacker News
CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports
Software Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource ... Read more
- Cybersecurity News
Microsoft Signals End of an Era: Control Panel to be Phased Out
After over a decade of speculation, Microsoft has officially confirmed that the traditional Control Panel, a cornerstone of Windows system management for nearly three decades, is set to be deprecated ... Read more
- Cybersecurity News
CVE-2024-21689: RCE Vulnerability in Atlassian Bamboo Data Center and Server
Atlassian, a global leader in software development tools, has issued a security advisory for its Bamboo Data Center and Server products, highlighting a high-severity Remote Code Execution (RCE) vulner ... Read more
- Cybersecurity News
CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites
A critical security flaw (CVE-2024-5932) in the popular GiveWP WordPress plugin has left over 100,000 websites vulnerable to remote code execution and unauthorized file deletion. This vulnerability, s ... Read more
- TheCyberThrone
Apache Cloudstack fixes CVE-2024-42062 & CVE-2024-42222
Apache CloudStack project has released patches for addressing two critical vulnerabilities, that could allow attackers to gain unauthorized access to sensitive information and compromise the integri ... Read more
- Cybersecurity News
PoC Exploit Released for Apache OFBiz Remote Code Execution Flaw (CVE-2024-38856)
Today, cybersecurity researcher Zeyad Azima from SecureLayer7 and Youssef Muhammad have published a proof-of-concept (PoC) exploit code for a critical vulnerability (CVE-2024-38856) in the Apache OFBi ... Read more
- Cybersecurity News
CVE-2024-43044: Critical Jenkins Vulnerability Exposes Servers to RCE Attacks
Today, Jenkins, the popular open-source automation server, has issued an urgent advisory detailing two vulnerabilities, one with a critical severity rating. These vulnerabilities, identified as CVE-20 ... Read more
- Cyber Security News
Apache OFBiz Zero-Day Vulnerability Let Attackers Execute Remote Code
A critical zero-day vulnerability in Apache OFBiz, an open-source enterprise resource planning (ERP) system, has been discovered that could allow unauthenticated attackers to execute arbitrary code re ... Read more
- The Hacker News
New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution
Enterprise Security / Vulnerability A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system t ... Read more
- Help Net Security
Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856)
CVE-2024-38856, an incorrect authorization vulnerability affecting all but the latest version of Apache OFBiz, may be exploited by remote, unauthenticated attackers to execute arbitrary code on vulner ... Read more
The following table lists the changes that have been made to the
CVE-2024-36104
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2024/06/03/1 Added Reference https://issues.apache.org/jira/browse/OFBIZ-13092 Added Reference https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o Added Reference https://ofbiz.apache.org/download.html Added Reference https://ofbiz.apache.org/security.html -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 03, 2024
Action Type Old Value New Value Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N -
CVE Modified by [email protected]
Jun. 10, 2024
Action Type Old Value New Value Added Reference Apache Software Foundation http://www.openwall.com/lists/oss-security/2024/06/03/1 [No types assigned] -
CVE Received by [email protected]
Jun. 04, 2024
Action Type Old Value New Value Added Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Added Reference Apache Software Foundation https://ofbiz.apache.org/download.html [No types assigned] Added Reference Apache Software Foundation https://ofbiz.apache.org/security.html [No types assigned] Added Reference Apache Software Foundation https://issues.apache.org/jira/browse/OFBIZ-13092 [No types assigned] Added Reference Apache Software Foundation https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o [No types assigned] Added CWE Apache Software Foundation CWE-22
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-36104
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-36104
weaknesses.