Cyber Resilience

CVE-2024-32113

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 08 May 2024

Published
08 May 2024
Modified
23 October 2025
KEV Added
07 August 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9396 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32113 is a critical-severity Path Traversal (CWE-22) vulnerability in Apache Ofbiz. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-32113 is a path traversal vulnerability, tracked as CWE-22, that affects Apache OFBiz versions prior to 18.12.13. The flaw stems from improper limitation of pathnames to restricted directories and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction and resulting in complete loss of confidentiality, integrity, and availability.

Unauthenticated remote attackers can supply crafted path sequences to traverse directories and access or modify arbitrary files on the server. Successful exploitation grants full control over the affected OFBiz instance, enabling data exfiltration, system modification, or service disruption.

Apache OFBiz project advisories and the associated security notice direct users to upgrade immediately to version 18.12.13, which contains the fix; the project’s download and security pages list the patched release and related Jira issue OFBIZ-13006.

The vulnerability’s EPSS score has reached a peak of 0.9701 with a current value of 0.9396, indicating sustained and substantial exploitation interest following public disclosure.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

CWE(s)
KEV Date Added
07 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
ofbiz
≤ 18.12.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of path inputs to reject traversal sequences such as '../' that enable the CWE-22 flaw.

prevent

Mandates prompt application of the vendor patch (upgrade to 18.12.13) that eliminates the path-traversal vulnerability.

prevent

Enforces access restrictions on files and directories so that even if a traversal attempt occurs, unauthorized file operations are blocked.

References