Vulnerability Description
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ofbiz | < 18.12.11 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/12/26/2Mailing ListThird Party Advisory
- https://issues.apache.org/jira/browse/OFBIZ-12875Issue TrackingPatchVendor Advisory
- https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43qMailing ListVendor Advisory
- https://ofbiz.apache.org/download.htmlProduct
- https://ofbiz.apache.org/release-notes-18.12.11.htmlRelease Notes
- https://ofbiz.apache.org/security.htmlVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/12/26/2Mailing ListThird Party Advisory
- https://issues.apache.org/jira/browse/OFBIZ-12875Issue TrackingPatchVendor Advisory
- https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43qMailing ListVendor Advisory
- https://ofbiz.apache.org/download.htmlProduct
- https://ofbiz.apache.org/release-notes-18.12.11.htmlRelease Notes
- https://ofbiz.apache.org/security.htmlVendor Advisory
FAQ
What is CVE-2023-50968?
CVE-2023-50968 is a vulnerability with a CVSS score of 7.5 (HIGH). Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack...
How severe is CVE-2023-50968?
CVE-2023-50968 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-50968?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.