Detections
Analytics

CVE-2023-49070

critical

Description

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

References

https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467

https://ofbiz.apache.org/security.html

https://ofbiz.apache.org/release-notes-18.12.10.html

https://ofbiz.apache.org/download.html

https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3

https://issues.apache.org/jira/browse/OFBIZ-12812

http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2023-12-05

Updated: 2025-02-13

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.93892

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest