VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 28, 2024· Updated Feb 13, 2025

Apache OFBiz: Path traversal allowing authentication bypass.

CVE-2024-25065

Description

Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in Apache OFBiz allows authentication bypass; upgrade to version 18.12.12.

Vulnerability

A path traversal vulnerability exists in Apache OFBiz's hasBasePermission method within LoginWorker. The contextPath parameter is not normalized, allowing an attacker to bypass authentication checks. Affected versions are Apache OFBiz before 18.12.12 [1][2][4].

Exploitation

An attacker can send a crafted HTTP request with a malicious contextPath (e.g., containing directory traversal sequences like ../) to bypass authentication. No prior authentication or special network position is required; the vulnerability is exploitable remotely [4].

Impact

Successful exploitation allows an attacker to bypass authentication mechanisms, gaining unauthorized access to OFBiz instances. This can lead to full compromise of the application, including data disclosure and potential admin-level access [1][4].

Mitigation

Users should upgrade to Apache OFBiz version 18.12.12 (released February 2024) which fixes the issue. No workarounds are available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [2][4].

References
  1. The Apache OFBiz® Project - Security
  2. [OFBIZ-12887] [SECURITY] (CVE-2024-25065) Normalize contextPath in hasBasePermission
  3. security - CVE-2024-25065: Apache OFBiz: Path traversal allowing authentication bypass.

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.