Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

CVE-2024-38856: Apache OFBiz Incorrect Authorization Vulnerability · Scorifya

CVE detail

CVE-2024-38856: Apache OFBiz Incorrect Authorization Vulnerability

Source: CISA Known Exploited Vulnerabilities catalog · back to feed

Vendor / product

Apache · OFBiz

Date added (KEV): Aug 27, 2024
CISA due date: Sep 17, 2024
Ransomware campaign use: Unknown

Required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vendor fix: Vendor advisory

Scorifya interpretation

AI-generated

A short, structured read of the record above — generated when this page first loads, then cached for a week.

Plain English

Technical detail

From CISA

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w; https://nvd.nist.gov/vuln/detail/CVE-2024-38856

References

https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7wMailing ListVendor Advisory
https://ofbiz.apache.org/security.htmlPatch
https://issues.apache.org/jira/browse/OFBIZ-13128Issue Tracking
https://ofbiz.apache.org/download.htmlProduct
http://www.openwall.com/lists/oss-security/2024/08/04/1Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856

Other recent CVEs from Apache

CVE-2026-34197ActiveMQ — Apache ActiveMQ Improper Input Validation Vulnerability
CVE-2024-38475HTTP Server — Apache HTTP Server Improper Escaping of Output Vulnerability
CVE-2025-24813Tomcat — Apache Tomcat Path Equivalence Vulnerability
CVE-2024-45195OFBiz — Apache OFBiz Forced Browsing Vulnerability
CVE-2024-27348HugeGraph-Server — Apache HugeGraph-Server Improper Access Control Vulnerability

Check your domain's public posture

Scorifya doesn't test for specific CVEs, but if patching Apache changed your headers or TLS, a fresh hardening scan helps confirm nothing regressed externally.

Run a free scan Methodology