RCE in Apache Software Foundation Ofbiz
CVE-2023-49070
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.940 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Ofbiz — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
- abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC
- D0g3-8Bit/OFBiz-Attack
- UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz
- Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467
- yukselberkay/CVE-2023-49070_CVE-2023-51467
- 0xrobiul/CVE-2023-49070
- rapid7/metasploit-framework
- Chocapikk/CVE-2023-51467
- DMW11525708/wiki
- EnriqueSanchezdelVillar/NotesHck
References
- ofbiz.apache.org/download.html (mitigation)
- ofbiz.apache.org/security.html (related)
- ofbiz.apache.org/release-notes-18.12.10.html (release-notes)
- issues.apache.org/jira/browse/OFBIZ-12812 (issue-tracking)
- lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3 (vendor-advisory)
- packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Executio…
Frequently asked questions
- What is CVE-2023-49070?
- CVE-2023-49070 is a vulnerability in Apache Software Foundation Ofbiz, classified under Code Injection. Published 2023-12-05.
- Is CVE-2023-49070 known to be exploited?
- 71 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.