CVE-2023-49070 - Vulnerability Details - OpenCVE

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html
https://issues.apache.org/jira/browse/OFBIZ-12812
https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3
https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/release-notes-18.12.10.html
https://ofbiz.apache.org/security.html
https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467

History

Thu, 13 Feb 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description	Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10	Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-12-05T08:05:06.966Z

Updated: 2025-02-13T17:18:28.237Z

Reserved: 2023-11-21T12:04:43.559Z

Link: CVE-2023-49070

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-05T08:15:07.443

Modified: 2025-02-13T18:15:40.640

Link: CVE-2023-49070

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49070", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-11-21T12:04:43.559Z", "datePublished": "2023-12-05T08:05:06.966Z", "dateUpdated": "2025-02-13T17:18:28.237Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "18.12.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Siebene@"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Pre-auth RCE in Apache Ofbiz 18.12.09.<br><br>It's due to XML-RPC <span style=\"background-color: rgb(255, 255, 255);\">no longer maintained</span> still present.<br><p>This issue affects Apache OFBiz: before 18.12.10. <br><span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 18.12.10</span></p>"}], "value": "Pre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC\u00a0no longer maintained\u00a0still present.\nThis issue affects Apache OFBiz: before 18.12.10.\u00a0\nUsers are recommended to upgrade to version 18.12.10"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-12-29T18:06:17.151Z"}, "references": [{"tags": ["mitigation"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"tags": ["issue-tracking"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}], "source": {"defect": ["OFBIZ-12812"], "discovery": "EXTERNAL"}, "title": "Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:13.953Z"}, "title": "CVE Program Container", "references": [{"tags": ["mitigation", "x_transferred"], "url": "https://ofbiz.apache.org/download.html"}, {"tags": ["related", "x_transferred"], "url": "https://ofbiz.apache.org/security.html"}, {"tags": ["release-notes", "x_transferred"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "10BDFE5A-6BD0-4A4B-A60F-2463D923FE93", "versionEndExcluding": "18.12.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC\u00a0no longer maintained\u00a0still present.\nThis issue affects Apache OFBiz: before 18.12.10.\u00a0\nUsers are recommended to upgrade to version 18.12.10"}, {"lang": "es", "value": "RCE de autorizaci\u00f3n previa en Apache Ofbiz 18.12.09. Se debe a que XML-RPC ya no se mantiene presente. Este problema afecta a Apache OFBiz: antes del 18.12.10. Se recomienda a los usuarios actualizar a la versi\u00f3n 18.12.10"}], "id": "CVE-2023-49070", "lastModified": "2025-02-13T18:15:40.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T08:15:07.443", "references": [{"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"source": "security@apache.org", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "security@apache.org", "tags": ["Release Notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://issues.apache.org/jira/browse/OFBIZ-12812"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://ofbiz.apache.org/download.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://ofbiz.apache.org/release-notes-18.12.10.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://ofbiz.apache.org/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Secondary"}]}