CVE-2024-45507

CRITICAL EPSS 99.8%
Published Sep 4, 20241y ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Sep 4, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
99.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-918 Server-Side Request Forgery (SSRF) Validation
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
apacheofbiz* <18.12.16

References 5

  • openwall.com http://www.openwall.com/lists/oss-security/2024/09/03/7
  • issues.apache.org https://issues.apache.org/jira/browse/OFBIZ-13132
    Issue TrackingPatchVendor Advisory
  • lists.apache.org https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy
    Mailing List
  • ofbiz.apache.org https://ofbiz.apache.org/download.html
    Product
  • ofbiz.apache.org https://ofbiz.apache.org/security.html
    PatchVendor Advisory

Remediation

  • issues.apache.org https://issues.apache.org/jira/browse/OFBIZ-13132
    Issue TrackingPatchVendor Advisory
  • ofbiz.apache.org https://ofbiz.apache.org/security.html
    PatchVendor Advisory