Apache OFBiz: Arbitrary file reading vulnerability
Description
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OFBiz before 18.12.07 allows pre-authentication arbitrary file reading via the Solr plugin.
Vulnerability
An arbitrary file reading vulnerability exists in Apache OFBiz when the Solr plugin is enabled. The issue affects all versions before 18.12.07. The vulnerability allows an unauthenticated attacker to read arbitrary files from the server's filesystem by sending crafted requests to the Solr plugin endpoint.
Exploitation
No authentication is required. An attacker with network access to the OFBiz instance can exploit this by sending a specially crafted HTTP request to the Solr plugin's URL. The exact request structure is not publicly detailed, but the attack is pre-authentication and does not require any prior access or user interaction.
Impact
Successful exploitation allows an attacker to read arbitrary files on the server, potentially including sensitive configuration files, credentials, or other confidential data. The confidentiality of the system is compromised, but integrity and availability are not directly affected.
Mitigation
Upgrade to Apache OFBiz version 18.12.07 or later, which contains the fix. No workarounds are documented. The fix was released on an undisclosed date prior to the CVE publication on 2023-04-14.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 18.12.06
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wcmitrevendor-advisory
- ofbiz.apache.org/download.htmlmitrerelease-notes
- ofbiz.apache.org/security.htmlmitrerelated
- www.openwall.com/lists/oss-security/2023/04/18/5mitre
- www.openwall.com/lists/oss-security/2023/04/18/9mitre
- www.openwall.com/lists/oss-security/2023/04/19/1mitre
- www.openwall.com/lists/oss-security/2023/04/19/6mitre
News mentions
0No linked articles in our index yet.