CVE-2018-8033

Name of the Vulnerable Software and Affected Versions: Apache OFBiz versions 16.11.01 through 16.11.04

Description: The issue concerns the OFBiz HTTP engine, specifically the handling of requests for HTTP services via the "/webtools/control/httpService" endpoint. Both POST and GET requests to this endpoint may contain parameters such as serviceName, serviceMode, and serviceContext. The exploitation occurs through DOCTYPEs that point to external references, triggering a payload that returns secret information from the host.

Recommendations: For Apache OFBiz versions 16.11.01 through 16.11.04, consider disabling the httpService endpoint until a patch is available. Restrict access to the "/webtools/control/httpService" endpoint to minimize the risk of exploitation. Avoid using the parameters serviceName, serviceMode, and serviceContext in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.