Unauth Path Traversal with file corruption affecting the Birt plugin of Apache OFBiz

Vulnerability

Apache OFBiz versions prior to 18.12.06 include the Birt viewer component (version 4.5.0) which contains a path traversal vulnerability [2][3]. This flaw allows an attacker to bypass intended access controls and read or write arbitrary files on the server. The vulnerability is triggered through the Birt plugin's handling of report resources, enabling remote code execution when combined with file upload capabilities.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to the Birt viewer endpoint [1][2]. The path traversal allows the attacker to write malicious files (e.g., JSP) to the web application directory, which can then be executed by the server. No authentication or user interaction is required, making the attack straightforward for anyone with network access to the OFBiz instance.

Impact

Successful exploitation results in remote code execution with the privileges of the OFBiz application server [1][2]. This can lead to full compromise of the affected system, including data theft, modification, and denial of service. The vulnerability is rated High severity.

Mitigation

The Apache OFBiz project has released version 18.12.06, which disables the Birt component entirely as the upstream Birt project did not provide a fix [1][2][3]. Users should upgrade to OFBiz 18.12.06 or apply the patches referenced in the Apache JIRA issue [2]. There is no other workaround; disabling the Birt component manually is recommended if upgrade is not immediately possible. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.