Cyber Resilience

CVE-2024-45195

HighCISA KEVActive ExploitationEUVD Exploited

Published: 04 September 2024

Published
04 September 2024
Modified
23 October 2025
KEV Added
04 February 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9415 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45195 is a high-severity Forced Browsing (CWE-425) vulnerability in Apache Ofbiz. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2024-45195 is a Direct Request ('Forced Browsing') vulnerability, tracked under CWE-425, that affects Apache OFBiz versions prior to 18.12.16. The flaw permits unauthorized access to protected resources through direct URL requests, resulting in a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and high confidentiality impact.

An unauthenticated remote attacker can exploit the issue by crafting direct requests to restricted endpoints, bypassing normal access controls and obtaining sensitive data stored or processed by the OFBiz application. No authentication or user interaction is required, enabling straightforward information disclosure against any exposed instance.

Apache OFBiz project advisories direct users to upgrade immediately to version 18.12.16, which resolves the vulnerability. The fix is available via the project's download page and is documented in the associated security notice and JIRA issue OFBIZ-13130.

The CVE carries a high EPSS score of 0.9415, indicating substantial exploitation likelihood.

EU & UK References

Vulnerability details

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CWE(s)
KEV Date Added
04 February 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
ofbiz
≤ 18.12.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on every request to protected OFBiz endpoints, blocking the forced-browsing path used by CVE-2024-45195.

prevent

Mediates information flows so that direct URL requests cannot reach sensitive resources without an explicit, policy-approved flow.

prevent

Ensures every OFBiz resource and function is assigned only the minimum privileges required, reducing the attack surface exposed by missing access checks.

References