CVE-2024-32113
Published: 08 May 2024
Summary
CVE-2024-32113 is a critical-severity Path Traversal (CWE-22) vulnerability in Apache Ofbiz. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-32113 is a path traversal vulnerability, tracked as CWE-22, that affects Apache OFBiz versions prior to 18.12.13. The flaw stems from improper limitation of pathnames to restricted directories and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction and resulting in complete loss of confidentiality, integrity, and availability.
Unauthenticated remote attackers can supply crafted path sequences to traverse directories and access or modify arbitrary files on the server. Successful exploitation grants full control over the affected OFBiz instance, enabling data exfiltration, system modification, or service disruption.
Apache OFBiz project advisories and the associated security notice direct users to upgrade immediately to version 18.12.13, which contains the fix; the project’s download and security pages list the patched release and related Jira issue OFBIZ-13006.
The vulnerability’s EPSS score has reached a peak of 0.9701 with a current value of 0.9396, indicating sustained and substantial exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29935
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
- CWE(s)
- KEV Date Added
- 07 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of path inputs to reject traversal sequences such as '../' that enable the CWE-22 flaw.
Mandates prompt application of the vendor patch (upgrade to 18.12.13) that eliminates the path-traversal vulnerability.
Enforces access restrictions on files and directories so that even if a traversal attempt occurs, unauthorized file operations are blocked.