Apache OFBiz: Path traversal or file inclusion

Vulnerability

A path traversal vulnerability exists in Apache OFBiz prior to version 18.12.12, allowing an attacker to include files from outside the intended directory. The vulnerability is present in the handling of file paths, enabling directory traversal sequences to bypass restrictions. All versions before 18.12.12 are affected [2][4].

Exploitation

An attacker with network access to the OFBiz instance can exploit this by sending crafted HTTP requests containing path traversal sequences (e.g., ../) to include arbitrary files on the server. No prior authentication is explicitly stated as required, suggesting the vector may be accessible to unauthenticated users. The exact attack surface is detailed in the associated Jira issue [2][4].

Impact

Successful exploitation allows an attacker to include files from the server's filesystem, potentially leading to information disclosure, execution of arbitrary code, or other malicious outcomes depending on the files accessed. The vulnerability is rated as critical severity [4].

Mitigation

The vulnerability is fixed in Apache OFBiz version 18.12.12, released in February 2024. Users are strongly recommended to upgrade to this version or later. No workarounds are mentioned in the available references. Users can download the latest release from the Apache OFBiz downloads page [3][4].