Apache OFBiz: Arbitrary file properties reading and SSRF attack
Description
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations.
The same uri can be operated to realize a SSRF attack also without authorizations.
Users are recommended to upgrade to version 18.12.11, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OFBiz before 18.12.11 allows unauthenticated attackers to read arbitrary file properties and perform SSRF via a crafted URI.
Vulnerability
In Apache OFBiz versions through 18.12.10, unauthenticated users can perform a URI call that reads arbitrary file properties and enables Server-Side Request Forgery (SSRF)[3]. The vulnerability is due to missing authorization checks on certain URI handlers.
Exploitation
An attacker can craft a malicious URI without authentication to trigger the vulnerability. No user interaction is required. The same URI can be used to perform SSRF attacks, allowing the attacker to make requests to internal or external systems[3].
Impact
Successful exploitation allows arbitrary file properties reading, potentially leaking sensitive information such as file existence or metadata. SSRF can be leveraged to probe internal networks or access internal services, leading to further compromise[3].
Mitigation
The vulnerability is fixed in Apache OFBiz version 18.12.11[3]. The fix is tracked in Jira issue OFBIZ-12875[4]. Users are recommended to upgrade to the latest release. No workarounds are provided.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43qmitrevendor-advisory
- issues.apache.org/jira/browse/OFBIZ-12875mitreissue-tracking
- ofbiz.apache.org/download.htmlmitremitigation
- ofbiz.apache.org/release-notes-18.12.11.htmlmitrerelease-notes
- ofbiz.apache.org/security.htmlmitrerelated
- www.openwall.com/lists/oss-security/2023/12/26/2mitre
News mentions
0No linked articles in our index yet.