CVE-2024-23946: 
Apache OFBiz vulnerability analysis and mitigation

CVE-2024-23946 is a path traversal vulnerability discovered in Apache OFBiz that allows file inclusion. The vulnerability was disclosed on February 28, 2024, and affects all versions of Apache OFBiz before 18.12.12. The vulnerability was discovered by Arun Shaji from TrendMicro (Apache Security, OSS Security).

The vulnerability is classified as a path traversal vulnerability (CWE-22) and unrestricted upload of file with dangerous type (CWE-434). It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD, ZDI).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache OFBiz. Specifically, attackers can leverage this vulnerability to disclose the names of internal paths used by the system and potentially include malicious files within the system, compromising its integrity (ZDI, Security Online).

Users are strongly recommended to upgrade to Apache OFBiz version 18.12.12, which contains the fix for this vulnerability. The fix was implemented through multiple commits (b1cf4ef3e1, 93f8a58419, c910e413ba) (Apache Security, OSS Security).