{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-49070","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-11-21T12:04:43.559Z","datePublished":"2023-12-05T08:05:06.966Z","dateUpdated":"2025-02-13T17:18:28.237Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"Apache OFBiz","vendor":"Apache Software Foundation","versions":[{"lessThan":"18.12.10","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Siebene@"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Pre-auth RCE in Apache Ofbiz 18.12.09.<br><br>It's due to XML-RPC&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">no longer maintained</span>&nbsp;still present.<br><p>This issue affects Apache OFBiz: before 18.12.10.&nbsp;<br><span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 18.12.10</span></p>"}],"value":"Pre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC no longer maintained still present.\nThis issue affects Apache OFBiz: before 18.12.10. \nUsers are recommended to upgrade to version 18.12.10"}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-12-29T18:06:17.151Z"},"references":[{"tags":["mitigation"],"url":"https://ofbiz.apache.org/download.html"},{"tags":["related"],"url":"https://ofbiz.apache.org/security.html"},{"tags":["release-notes"],"url":"https://ofbiz.apache.org/release-notes-18.12.10.html"},{"tags":["issue-tracking"],"url":"https://issues.apache.org/jira/browse/OFBIZ-12812"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"},{"url":"http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html"}],"source":{"defect":["OFBIZ-12812"],"discovery":"EXTERNAL"},"title":"Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-19T07:48:13.953Z"},"title":"CVE Program Container","references":[{"tags":["mitigation","x_transferred"],"url":"https://ofbiz.apache.org/download.html"},{"tags":["related","x_transferred"],"url":"https://ofbiz.apache.org/security.html"},{"tags":["release-notes","x_transferred"],"url":"https://ofbiz.apache.org/release-notes-18.12.10.html"},{"tags":["issue-tracking","x_transferred"],"url":"https://issues.apache.org/jira/browse/OFBIZ-12812"},{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3"},{"url":"http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html","tags":["x_transferred"]},{"url":"https://www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467"}]}]}}