Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE

Vulnerability

CVE-2024-45507 is a Server-Side Request Forgery (SSRF) and Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. The issue affects versions before 18.12.16. It exists in the handling of screen/script URIs, where insufficient validation allows an attacker to inject malicious URL patterns [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the Apache OFBiz server, triggering the vulnerable code path that processes screen/script URIs. The attacker does not require authentication, as the vulnerability can be reached from a pre-auth context. The exploitation involves manipulating the URI to bypass intended restrictions and make the server fetch or execute unintended resources [1][2].

Impact

Successful exploitation allows an attacker to achieve Server-Side Request Forgery, potentially accessing internal services or arbitrary external hosts, and also leads to Code Injection, enabling remote code execution in the context of the OFBiz application. This can result in full compromise of the affected server and data exposure [1][2].

Mitigation

Apache OFBiz has fixed this issue in version 18.12.16, released on or before the CVE publication date of 2024-09-04. Users are recommended to upgrade to version 18.12.16 or later. The fix adds validation to screen/script URIs to block dangerous URL patterns [2][3]. No workarounds have been published, and the vulnerable versions (before 18.12.16) are no longer supported if EOL; upgrade is the only mitigation.