VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 5, 2023· Updated Feb 13, 2025

Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present

CVE-2023-49070

Description

Pre-auth RCE in Apache Ofbiz 18.12.09.

It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated remote code execution in Apache OFBiz 18.12.09 and earlier due to a deprecated XML-RPC component.

Vulnerability

Apache OFBiz versions before 18.12.10 are vulnerable to a pre-authentication remote code execution (RCE) flaw in the deprecated XML-RPC component. The component, which is no longer maintained, remains present in the application and can be reached without prior authentication. The vulnerability is specifically addressed in [OFBIZ-12812] [1][2].

Exploitation

An attacker with network access to an affected Apache OFBiz instance can exploit this vulnerability by sending a specially crafted XML-RPC request to the exposed endpoint. No authentication or user interaction is required [1][2].

Impact

Successful exploitation allows an unauthenticated attacker to achieve remote code execution (RCE) on the underlying server. This grants the attacker full control over the affected Apache OFBiz instance, leading to complete compromise of confidentiality, integrity, and availability [1][2].

Mitigation

Apache OFBiz 18.12.10, released on December 2023, removes the deprecated XML-RPC code and fixes this vulnerability. Users are recommended to upgrade to version 18.12.10 or later. No workaround is provided [1][3][4].

References
  1. The Apache OFBiz® Project - Security
  2. [OFBIZ-12812] [SECURITY] Remove deprecated Apache XML-RPC related code (CVE-2023-49070)
  3. The Apache OFBiz® Project - Downloads
  4. The Apache OFBiz® Project - Release Notes 18.12.10

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.