CVE-2024-38856

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-38856
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38856.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-38856
Published
2024-08-05T09:15:56.780Z
Modified
2025-11-15T22:31:25.060571Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Incorrect Authorization vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: through 18.12.14.

Users are recommended to upgrade to version 18.12.15, which fixes the issue.

Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type
GIT
Repo
https://github.com/apache/ofbiz-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6c3b0068a99bb3b93321fdb983a0046b0679c86d

Affected versions

release18.*

release18.12.01
release18.12.02
release18.12.03
release18.12.04
release18.12.05
release18.12.12
release18.12.13
release18.12.14

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38856.json"

vanir_signatures

[
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-03c7d167",
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "16237928801769355647919000095175284067",
                "279097356743855932756619687220893319709",
                "273185140359734659992900487972147521510",
                "272830951868334040380757588277782715210",
                "198115970284892576381814091129744175161",
                "156801118489440031399249922660119204120",
                "17419182794509903132157188192279864619",
                "319171371338532270866278758939786887587",
                "272505973760705412638679905762905969544",
                "182861801311226970744323937573579066560"
            ],
            "threshold": 0.9
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-7550093e",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java",
            "function": "ViewMap"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "289731587944239157478450005162939112262",
            "length": 907.0
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-805bb689",
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "226720336440091456568055407268121400228",
                "143080546213670749940831542994819412235",
                "1868680413758454524348053782127259926",
                "173130246160965080851195595369703173765",
                "187400503843563474427066163369618456596",
                "137948593440813080134710218417753856069",
                "256459321338719085669855389801053403838",
                "70267618819608495326245243460189652664",
                "337270641275986671421375631470018528044",
                "303241113400411699155420109973754893272",
                "65229489003242147538656639975465287136",
                "38769350571236847600693412600179347823",
                "199178616298278916722095930772674720540",
                "150385102235644132487182112455060085302",
                "56773817233749987283973893043919928206",
                "23469707285194751312439660564106769525",
                "117363730291814426482816689471425138532",
                "188143581695577658211745036958273071677",
                "293400857134866993208488101898904196274",
                "154191612978878504285967907407432258341",
                "263274359243705375965483943012057223234",
                "63238528625549451350539847244494150840",
                "74512146229357788023298846025078597907",
                "211129942122505838924169863251338612041",
                "3900834991457700138899303516254445885",
                "68920232806175318604197657785419106290",
                "27519593302627289968737207598177662583",
                "35329941838764983836804262232273083587",
                "28846086343552447133845254914176141244"
            ],
            "threshold": 0.9
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-87749879",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java",
            "function": "doRequest"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "127020776840894583888347848105549337837",
            "length": 20752.0
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-939d270a",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java",
            "function": "resolveURIBasicOverrideView"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "252684546882370506403639156501137473225",
            "length": 549.0
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-c50e774b",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java",
            "function": "resolveURI"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "49410172142283753758052014897718780082",
            "length": 680.0
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d",
        "id": "CVE-2024-38856-ef9e4e6f",
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "286477505649465832301079209369792175799",
                "18324683007926061974728313524300451877",
                "188663671449093183171970600071215843006",
                "65308096173048705420922724742824449340",
                "316030500068515158819464895025355409791",
                "306611767280792831562221589684052443265",
                "301506262570323668687688091640580230747",
                "287383009294581322429732682768279092907",
                "291907097562093325603956982556486697276",
                "295079923233464330274413188492142325479",
                "78793336910171886003253462130962246282"
            ],
            "threshold": 0.9
        }
    }
]