Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-51467

CWE-918 — Server-Side Request Forgery (SSRF)11 documents9 sources

Severity

9.8CRITICAL

EPSS

94.0%

top 0.11%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Software Foundation Apache Ofbiz Apache Ofbiz

Timeline

PublishedDec 26

Latest updateJan 12

Description

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz< 18.12.11

▶CVEListV5apache_software_foundation/apache_ofbiz< 18.12.11

Patches

Patch: issues.apache.org ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-9699-fmx5-wvpf: The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)↗2023-12-26

▶

CVEList

Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability↗2023-12-26

▶

VulnCheck

Apache OFBiz Server-Side Request Forgery (SSRF)↗2023

▶

💥Exploits & PoCs

Nuclei

Apache OFBiz < 18.12.11 - Remote Code Execution

▶

Metasploit

Apache OFBiz XML-RPC Java Deserialization↗

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M2↗2024-01-12

▶

Suricata

ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M1↗2024-01-12

▶

Suricata

ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability Check (CVE-2023-51467)↗2024-01-12

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2023-51467↗

▶