CVE-2024-38856
CRITICALCISA KEVEPSS 100th pctlDescription
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
Apache OFBiz Incorrect Authorization Vulnerability
Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation due: 2024-09-17
References
- https://issues.apache.org/jira/browse/OFBIZ-13128
- https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
- https://ofbiz.apache.org/download.html
- https://ofbiz.apache.org/security.html
- http://www.openwall.com/lists/oss-security/2024/08/04/1
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-23.