Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp1064009lqo;
        Thu, 9 May 2024 03:52:53 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUbTkfIvr2Q5FmvbkughJ6R2FGsZJemDFza/WDqWKpXdtwmYFWSPg+WBEToxaYyEVSK+N7Sm46J2RXKPL+AVHmrvoDRbgqLqI8R4dhTtw==
X-Google-Smtp-Source: AGHT+IFDlwIsZIwUBkht0VkMv7j6tz97T7X5cFc6FhMWhJ/JUGT9zF8Hcww0GJhW/+MJNd1UVBfG
X-Received: by 2002:ac8:5907:0:b0:43b:1472:1685 with SMTP id d75a77b69052e-43dbf84dc10mr57682921cf.51.1715251973584;
        Thu, 09 May 2024 03:52:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1715251973; cv=none;
        d=google.com; s=arc-20160816;
        b=lAtu3RarxtQ9velFTJsxmxr6JcXZJkQQnEVHV7JSeZD4rtT2NPyaHLUIAGnE/79Cub
         0FhQoTGcpo+3ErxwTSsIzD1xU/RFzZwjyh5p9fot9VUdBK/tfyG0wtFr2RFE/ZYGP6zv
         Ay4IzX+0vDfwmrTb3ur6HClJCjlluxMbAnfjZXg1+vwCRg9wvZnbXcYTxHPKFzsT5GuK
         JLTj3WnF3M9lU06/csUXtN8VjXHwl+/gpve5hMjXRiivosyRbkKL78eLjI3gAUTwfhvH
         dxKo27/C23Lg9UbTrsne9kG1GN5o1HDw4D/L+gqQP1H+r+Vb1EiPI3g3CCfwbKsLoJNA
         HItg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=YDXKUByk4rxCCcCjuoAP7qYArZx+PI5ebQHjKNOB1UE=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=p0ZZVUhFxdypqQ2A20waTRtVZh9u5zs0GS+sKc/hi9F2oQeK2czmFjQB9uWClw28vG
         80YupDg9TW+rmnJNMgWpN/kw7qm3pcUoj0ICDzfOWhHW0hhND2pD3os+18heMWhqsxWN
         54ajsI7Jhc4CHhA0RmHL9twmUn14Rb0K4xuAMkmLhXR7gMmN8EXZP4fN+bbTebcA4pgj
         HztlB/jSZhAZUNuiyhOk52dqsCX2pQfbZrajUqbhWVa+vVSFVsWaJ0UZzWtSE8xcDipn
         hVSsI+Vh2CTLGfB+Fjhe7VYuditF9rnpP9ksm1uhe8iSg8B7wzhcAx5lP48BtWd5P2YN
         sxPw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id d75a77b69052e-43df549fb88si11378981cf.19.2024.05.09.03.52.53
        for <linux.lists.archive@gmail.com>;
        Thu, 09 May 2024 03:52:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30136-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 9938 invoked by uid 550); 9 May 2024 10:52:32 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 28122 invoked from network); 8 May 2024 14:39:14 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: Jacques Le Roux <jleroux@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <18ab72f5-766b-22d7-3591-5748606e62a9@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Wed, 08 May 2024 14:39:03 +0000
MIME-Version: 1.0
Subject: [oss-security] CVE-2024-32113: Apache OFBiz: Path traversal leading to RCE 

Severity: important

Affected versions:

- Apache OFBiz before 18.12.13

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path =
Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: =
before 18.12.13.

Users are recommended to upgrade to version 18.12.13, which fixes the issue=
.

Credit:

Qiyi Zhang (RacerZ) @secsys from Fudan (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://issues.apache.org/jira/browse/OFBIZ-13006
https://lists.apache.org/thread/np8vgzr06z6cwm3tz7cs3609bdrj8526
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-32113