CVE-2022-25371

CWE-22 — Path Traversal CWE-94 — Code Injection CWE-362 — Race Condition5 documents5 sources

Severity

9.8CRITICAL

EPSS

2.2%

top 15.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz Apache Software Foundation Apache Ofbiz

Timeline

PublishedSep 2

Latest updateFeb 26

Description

Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz< 18.12.06

▶CVEListV5apache_software_foundation/apache_ofbizApache OFBiz — 18.12.05

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-4vm3-cxh9-9697: Apache OFBiz uses the Birt project plugin (https://eclipse↗2022-09-03

▶

CVEList

Unauth Path Traversal with file corruption affecting the Birt plugin of Apache OFBiz↗2022-09-02

▶

📋Vendor Advisories

Red Hat

kernel: ext4: fix race condition between ext4_write and ext4_convert_inline_data↗2025-02-26

▶

Apache

Apache ofbiz: CVE-2022-25371↗

▶