Apache OFBiz: Path traversal leading to a RCE

Vulnerability

Apache OFBiz versions before 18.12.14 contain a path traversal vulnerability in the framework/webapp component [2]. The improper limitation of a pathname to a restricted directory allows an attacker to traverse directories and access files outside the intended scope [4]. This issue affects all versions prior to 18.12.14 [1][4].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests containing encoded path traversal sequences (e.g., .. or URL-encoded variants) to the OFBiz web application [2][4]. No authentication is required, as the vulnerability is present in unauthenticated endpoints [4]. The attacker can manipulate the path to include traversal sequences, leading to arbitrary file read or potentially remote code execution.

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, and under certain conditions, achieve remote code execution (RCE) [4]. This can lead to full compromise of the OFBiz instance, including data disclosure, modification, and denial of service.

Mitigation

The vulnerability is fixed in Apache OFBiz version 18.12.14 [1][4]. Users are strongly recommended to upgrade to this version or later. No workarounds are provided in the references. The fix is also included in subsequent releases (18.12.18, 24.09.01) [2].