Re: 回复:unauthorized SSRF and RCE vulnerability for Apache OFBiz under 18.12.16

Mon, 02 Sep 2024 00:21:14 -0700 

Sure thing, thanks for the feedback

Le 02/09/2024 à 09:17, [email protected] a écrit :

it's ok,credit just 孙相(Sun Xiang)




发自我的手机


-------- 原始邮件 --------
发件人: Jacques Le Roux <[email protected]>
日期: 2024年9月2日周一 下午2:51
收件人: [email protected], 孙相,03111186 <[email protected]>
主 题: Re: unauthorized SSRF and RCE vulnerability for Apache OFBiz under
18.12.16

    Hi 孙相 (Sun Xiang),

    On behalf of the OFBiz security team we thank you for your report and
    care in alerting us to the vulnerability mentioned herein.

    We have issued the CVE-2024-45507 and applied a patch for the vulnerability 
[1].
    The draft of the announcement is listed below [2] for your review and
    feedback. Thank you in advance for your reply.

    We just want to mention that it's not related to 18.12.16.
    We created the tag but finally decided to not release it yet.
    We will rather associate the CVE it with 18.12.15

    [1] https://github.com/apache/ofbiz-framework/commit/ffb1bc4879
    [2] Announcement Draft:

    
------------------------------------------------------------------------------------------------------------------------------------------------------

    Subject: CVE-2024-45507: Apache OFBiz: Prevent use of URLs in files when 
loading them from Java or Groovy, leading to a RCE

    Severity: important

    Affected versions: Apache OFBiz before 18.12.15

    Description:
    Server-Side Request Forgery (SSRF), Improper Control of Generation of Code 
('Code Injection') vulnerability in Apache OFBiz.
    This issue affects Apache OFBiz: before 18.12.15.
    Users are recommended to upgrade to version 18.12.15, which fixes the issue.

    Credit: 孙相 (Sun Xiang), 03111186 (finder)

    References:
    https://ofbiz.apache.org/download.html
    https://ofbiz.apache.org/security.html
    https://issues.apache.org/jira/browse/OFBIZ-13132
    https://ofbiz.apache.org/
    https://www.cve.org/CVERecord?id=CVE-2024-45507

    
------------------------------------------------------------------------------------------------------------------------------------------------------

    Jacques on behalf of the Apache OFBiz security team


    Le 29/08/2024 à 11:29, 孙相,03111186 a écrit :

        hello,here is a security vulnerability for Apache OFBiz under version 
18.12.16

Reply via email to