Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2023-49070

Disclosure Date: December 05, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10. 
Users are recommended to upgrade to version 18.12.10

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2023-49070 is a critical security vulnerability in Apache OFBiz, a comprehensive open-source enterprise resource planning (ERP) system. This vulnerability is classified as a pre-authentication remote code execution (RCE) issue, primarily stemming from an outdated and no longer maintained XML-RPC component in Apache OFBiz. The specific version affected is 18.12.09, and it is recommended that users upgrade to version 18.12.10 to mitigate the risk

In terms of severity, CVE-2023-49070 has a CVSS v3 Base Score of 9.8, which is considered critical. The CVSS scoring vector for this vulnerability indicates that the vulnerability is network exploitable, requires low attack complexity, no privileges, and no user interaction. It has an impact on confidentiality, integrity, and availability, all rated as high.

Additionally, the Exploit Prediction Scoring System (EPSS) score for CVE-2023-49070 indicates a 50.12% probability of exploitation activity in the next 30 days. ShadowServer is already observing scans being executed by using an available poc for this vulnerability: https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC. The patch provided for this vulnerability failed to remove root cause of the issue and it is advised to update again for CVE-2023-51467.(https://www.openwall.com/lists/oss-security/2023/12/26/3)

Given its critical nature, high likelihood of exploitation, and the potential for significant impact, it’s essential for organizations using Apache OFBiz to address this vulnerability promptly.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache

Products

  • ofbiz

Exploited in the Wild

Reported by:
Technical Analysis