CVE-2024-32113 – RCE Vulnerability in Apache OFBiz: Immediate Action Required

A serious vulnerability (CVE-2024-32113) has been uncovered in Apache OFBiz, a popular suite of enterprise software tools. This flaw, described as a path traversal issue, could enable attackers to execute malicious code remotely on systems running vulnerable versions.

Apache OFBiz provides a framework for building applications used in enterprise resource planning (ERP), customer relationship management (CRM), e-commerce, and more. Its flexibility and cross-industry focus make it a popular choice for businesses.

CVE-2024-32113 is classified as a path traversal vulnerability that leads to remote code execution (RCE). It has been given an “important” severity rating, underscoring the potential risks it poses. Path traversal vulnerabilities occur when software does not properly sanitize external input of file paths, allowing attackers to access or execute files stored outside the intended directory.

The specific flaw in Apache OFBiz arises from inadequate restriction of pathname limitations. This oversight allows an adversary to navigate through and execute commands in restricted directories, which can compromise the integrity and confidentiality of the system. Successful exploitation could enable attackers to install malicious programs, alter or delete data, or even create new accounts with comprehensive user rights.

This vulnerability poses a risk to installations running Apache OFBiz versions before 18.12.13. The Apache OFBiz team has released version 18.12.13, which includes a fix for this path traversal vulnerability. Businesses and organizations using OFBiz must prioritize upgrading to this patched version without delay.