Security

Security Vulnerabilities

Please see the ASF Security Team webpage for further information about reporting a security vulnerability as well as their contact information.

We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.

Note that we no longer create CVEs for post-authN attacks done using demo credentials, notably using the admin user. Rather create bugs reports in our issue tracker (Jira) for that. Please don't create Jira issues for unauth (aka pre-authN) reports, thanks in advance.

One of the reason we no longer create CVEs for post-authN attacks done using demo credentials is because we highly suggest to OFBiz users to not use credentials demo in production and we expect OFBiz users to do so. We also warn our users on the "Keeping OFBiz secure wiki page". And we finally reject pre-authN vulnerabilities because we have a solid CSRF defense.

To clarify the vocabulary used above here are 2 links:

• pre-authN vs post-authN
• authN vs authZ

List of Known Vulnerabilities

• CVE-2024-48962; affected releases before 18.12.17; fixed in 18.12.17 with commit 761fb67d7f
• CVE-2024-47208; affected releases before 18.12.17; fixed in 18.12.17 with commit f044a7e5bf
• CVE-2024-45507; affected releases before 18.12.16; fixed in 18.12.16 with commit ffb1bc4879
• CVE-2024-45195; affected releases before 18.12.16; fixed in 18.12.16 with commits ab78769c2d, 8b95fe6fa
• CVE-2024-38856; affected releases before 18.12.15; fixed in 18.12.15 with commit 31d8d7
• CVE-2024-36104; affected releases before 18.12.14; fixed in 18.12.14 with commits d33ce31012, 474e806816
• CVE-2024-32113; affected releases before 18.12.13; fixed in 18.12.13 with commits b3b87d98dd, ff316b6e22
• CVE-2024-23946; affected releases before 18.12.12; fixed in 18.12.12 with commits b1cf4ef3e1, 93f8a58419, c910e413ba
• CVE-2024-25065; affected releases before 18.12.12; fixed in 18.12.12 with commit b91a9b7f26
• CVE-2023-51467; affected releases before 18.12.11; fixed in 18.12.11 with commits d8b097f, 1dcfa07180
• CVE-2023-50968; affected releases before 18.12.11; fixed in 18.12.11 with commit 82c1737688
• CVE-2023-49070; affected release 18.12.09; fixed in 18.12.10 with commit c59336f604
• CVE-2023-46819; affected release 18.12.08; fixed in 18.12.09 with commit 998bf510a
• CVE-2022-25371; affected release 18.12.07; fixed in 18.12.08 with commit 41ff12cf8
• CVE-2022-47501; affected releases before 18.12.07; fixed in 18.12.07 with commit 582add7d3
• CVE-2022-25813; affected releases before 18.12.06; fixed in 18.12.06 with commits 843b1c7e71, 3797e60375, b24dcff344, 871ce2aa2e, 829e1ca53, 16ed130367, 5cc45e8701
• CVE-2022-29063; affected releases before 18.12.06; fixed in 18.12.06 with commit 061252a80
• CVE-2022-29158; affected releases before 18.12.06; fixed in 18.12.06 with commit ff92c4bc9
• CVE-2022-25371; affected releases before 18.12.06; fixed in 18.12.06 by temporarily disabling Birt component waiting for https://github.com/eclipse/birt/issues/625 to be resolved
• CVE-2022-25370; affected releases before 18.12.06; fixed in 18.12.06 by temporarily disabling Birt component waiting for https://github.com/eclipse/birt/issues/625 to be resolved
• CVE-2021-45105; affected all releases before 17.12.09 and 18.12.04; fixed in 17.12.09 and 18.12.04 with commits 00896e7, c69bc8f, 4442c2a
• CVE-2021-44228; affected all releases before 17.12.09 and 18.12.03; fixed in 17.12.09 and 18.12.03 with commits 00896e7, c69bc8f, bccf140
• CVE-2021-37608; affected all releases before 17.12.08; fixed in 17.12.08 with commit 8d49af4
• CVE-2021-30128; affected all releases before 17.12.07; fixed in 17.12.07 with commits 643b9c7 a343812 62e657f fcc0078 3f97578 7fd9d05.
• CVE-2021-29200; affected all releases before 17.12.07; fixed in 17.12.07 with commit 1bc8a20.
• CVE-2021-26295; affected all releases before 17.12.07; fixed in 17.12.06 with commit af9ed4e.
• CVE-2020-9496; affected releases: 17.12.03; fixed in 17.12.04.
• CVE-2020-13923; affected all releases before 17.12.04; fixed in 17.12.04.
• CVE-2019-12425; affected releases: 17.12.01; fixed in 17.12.03 with commit 793628b.
• CVE-2019-0235; affected releases: 17.12.01; fixed in 17.12.03 with commits 82ef7a5, 62f9b45.
• CVE-2020-1943; affected releases: from 16.11.01 to 16.11.07; fixed in 17.12.01.
• CVE-2019-12426; affected releases: from 16.11.01 to 16.11.06; fixed in 16.11.07 with revision 1869887.
• CVE-2018-17200; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1850017, 1850019.
• CVE-2019-0189; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions specified in OFBIZ-10770, OFBIZ-10837.
• CVE-2019-10073; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1858438, 1858543, 1860595, 1860616.
• CVE-2019-10074; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revision 1858533.
• CVE-2018-8033; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833708, 1836141.
• CVE-2011-3600; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833724, 1833708, 1836141.
• CVE-2017-15714; affected releases: from 16.11.01 to 16.11.03; fixed in 16.11.04 with revision 1759065
• CVE-2016-6800; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1759065 and 1759218
• CVE-2016-4462; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1761978, 1761986 and 1761987
• CVE-2016-2170; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2015-3268; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2014-0232; affected releases: 12.04.03 and earlier versions (12.04.*), 11.04.04 and earlier versions (11.04.*); fixed in 12.04.04 and 11.04.05
• CVE-2013-2250; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-2137; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-0177; affected releases: 11.04.01, 10.04.04 and earlier versions (10.04.*); fixed in 11.04.02 and 10.04.05
• CVE-2012-3506; affected releases: 10.04.02, 10.04 (10.04.01); fixed in 10.04.03
• CVE-2012-1622; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2012-1621; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2010-0432; affected releases: 09.04; fixed in 09.04.01