Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-8033Sensitive Information Exposure in Apache Ofbiz

CWE-200Sensitive Information Exposure5 documents5 sources
Severity
7.5HIGHNVD
EPSS
92.2%
top 0.29%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache OfbizApache Software Foundation Apache Ofbiz
Timeline
PublishedDec 13
Latest updateMay 14

Description

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/ofbiz16.11.0116.11.04
CVEListV5apache_software_foundation/apache_ofbizApache OFBiz 16.11.01 to 16.11.04

🔴Vulnerability Details

2
GHSA
GHSA-2v2f-rp8w-vrxh: In Apache OFBiz 162022-05-14
CVEList
CVE-2018-8033: In Apache OFBiz 162018-12-13

💥Exploits & PoCs

1
Nuclei
Apache OFBiz - XML External Entity Injection

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2018-8033
CVE-2018-8033 — Sensitive Information Exposure | cvebase