Cyber Resilience

CVE-2024-36104

Critical

Published: 04 June 2024

Published
04 June 2024
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9307 99.8th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36104 is a critical-severity Path Traversal (CWE-22) vulnerability in Apache Ofbiz. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-36104 is a path traversal vulnerability, tracked as CWE-22, that affects Apache OFBiz versions prior to 18.12.14. The flaw stems from improper limitation of pathnames to restricted directories and carries a CVSS 3.1 score of 9.1, reflecting network-accessible exploitation with no required credentials or user interaction and high impact on confidentiality and integrity.

An unauthenticated attacker can supply crafted path sequences over the network to read or write files outside intended directories, potentially exposing sensitive configuration data or altering application resources within an OFBiz deployment.

Apache OFBiz project advisories and the associated security page recommend immediate upgrade to version 18.12.14, which resolves the issue; the fix is also referenced in the project's download page and the OFBIZ-13092 Jira ticket.

The CVE maintains a high EPSS score near 0.93, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
ofbiz
≤ 18.12.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References