CVE-2023-50968: 
Apache OFBiz vulnerability analysis and mitigation

CVE-2023-50968 is a security vulnerability discovered in Apache Software Foundation Apache OFBiz affecting versions through 18.12.10. The vulnerability was disclosed on December 26, 2023, and involves arbitrary file properties reading and Server-Side Request Forgery (SSRF) capabilities when a user operates a URI call without proper authorization (NVD, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from unauthorized access to URI calls that could lead to both arbitrary file properties reading and SSRF attacks. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthorized users to read arbitrary file properties and potentially execute SSRF attacks against the affected system. This could lead to exposure of sensitive information and potential system compromise through server-side request manipulation (OSS Security, Rapid7).

Users are strongly recommended to upgrade to Apache OFBiz version 18.12.11, which contains the fix for this vulnerability. The fix implements screen engine controls for the getJSONuilabels request to prevent unauthorized access (Apache OFBiz Security, Release Notes).