⚠ Actively exploited
Added to CISA KEV on 2024-08-27. Federal agencies required to patch by 2024-09-17. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2024-38856
Severity
9.8CRITICAL
EPSS
94.4%
top 0.03%
CISA KEV
KEV
Added 2024-08-27
Due 2024-09-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedAug 5
KEV addedAug 27
KEV dueSep 17
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
2Nuclei▶
Apache OFBiz - Improper Authorization & Remote Code Execution
🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS Apache OFBiz Pre-Auth Remote Code Execution Attempt (CVE-2024-38856)↗2024-08-06