Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE

Vulnerability

In Apache OFBiz versions prior to 18.12.17, the handling of component:// URLs in the framework/base component is insufficiently validated. The code only checks if the string contains component:// rather than ensuring it starts with that prefix [2]. This allows an attacker to supply arbitrary URLs that include component:// anywhere in the string, bypassing the intended restriction and enabling Server-Side Request Forgery (SSRF) and potential code injection.

Exploitation

An unauthenticated attacker can send a specially crafted HTTP request to an Apache OFBiz instance, embedding a malicious URL that contains component:// but does not start with it. The flawed validation logic processes this URL, allowing the attacker to make the server send requests to internal or external resources (SSRF) and potentially inject code that is executed by the server.

Impact

Successful exploitation results in Server-Side Request Forgery, enabling the attacker to access internal network services, and may lead to remote code execution via code injection. This can compromise the confidentiality, integrity, and availability of the OFBiz instance and the underlying host.

Mitigation

The vulnerability is fixed in Apache OFBiz version 18.12.17 [2]. Users are strongly recommended to upgrade to this version or later. No workarounds are documented. The latest stable release can be downloaded from the official Apache OFBiz download page [3].