CVE-2024-32113

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 18.12.13

Description The issue is related to an improper limitation of a pathname to a restricted directory, also known as a path traversal vulnerability. This allows a remote attacker to execute arbitrary code by injecting a specially crafted URL. The vulnerability has been exploited in real-world attacks, with one of the attackers being the Mirai botnet. The exploitation is relatively simple, involving the addition of a semicolon (;) after a public URL, followed by a private URL that the attacker wishes to access. This can bypass authentication and allow code execution on the server.

Recommendations To resolve the issue, users are recommended to upgrade to version 18.12.13, which fixes the issue. As a temporary workaround, consider restricting access to vulnerable API endpoints, such as /webtools/control/forgotPassword, to minimize the risk of exploitation. Additionally, avoid using specially crafted URLs that could be used to exploit the path traversal vulnerability.