CVE-2024-38856

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:26

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/08/04/1 -

28 Aug 2024, 16:15

Type Values Removed Values Added
CPE cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 9.8
First Time Apache
Apache ofbiz
References () https://issues.apache.org/jira/browse/OFBIZ-13128 - () https://issues.apache.org/jira/browse/OFBIZ-13128 - Issue Tracking
References () https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w - () https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w - Mailing List, Vendor Advisory
References () https://ofbiz.apache.org/download.html - () https://ofbiz.apache.org/download.html - Product
References () https://ofbiz.apache.org/security.html - () https://ofbiz.apache.org/security.html - Vendor Advisory

06 Aug 2024, 13:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de autorización incorrecta en Apache OFBiz. Este problema afecta a Apache OFBiz: hasta la versión 18.12.14. Se recomienda a los usuarios que actualicen a la versión 18.12.15, que soluciona el problema. Los puntos finales no autenticados podrían permitir la ejecución del código de representación de pantallas si se cumplen algunas condiciones previas (por ejemplo, cuando las definiciones de pantalla no comprueban explícitamente los permisos del usuario porque dependen de la configuración de sus endpoints).

05 Aug 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-05 09:15

Updated : 2024-11-21 09:26


NVD link : CVE-2024-38856

Mitre link : CVE-2024-38856

CVE.ORG link : CVE-2024-38856


JSON object : View

Products Affected

apache

  • ofbiz
CWE
CWE-863

Incorrect Authorization