Back to KEVs

CVE-2024-45507

Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE

Basic Information

CVE State
PUBLISHED
Reserved Date
September 01, 2024
Published Date
September 04, 2024
Last Updated
September 13, 2024
Vendor
Apache Software Foundation
Product
Apache OFBiz
Description
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Tags
apache nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
87.55% (Percentile: 99.41%) as of 2025-06-04

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2025-05-15 00:00:00 UTC) Source

References

https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://issues.apache.org/jira/browse/OFBIZ-13132 https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-05-15 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-45507.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel