oss-security - CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <67c898ae-6e2b-c959-8115-24663fa01305@apache.org>
Date: Mon, 04 Dec 2023 21:04:50 +0000
From: Jacques Le Roux <jleroux@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09 due to
 XML-RPC still present 

Severity: moderate

Affected versions:

- Apache OFBiz before 18.12.10

Description:

Pre-auth RCE in Apache Ofbiz 18.12.09.

It's due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10. 
Users are recommended to upgrade to version 18.12.10

This issue is being tracked as OFBIZ-12812 

Credit:

Siebene@ (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://ofbiz.apache.org/release-notes-18.12.10.html
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-49070
https://issues.apache.org/jira/browse/OFBIZ-12812

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.