CVE-2024-25065
Detail
Description
Possible path traversal in Apache OFBiz allowing authentication bypass.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.
Metrics
CVSS Version 4.0
CVSS Version 3.x
CVSS Version 2.0
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
NVD assessment
not yet provided.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0 Severity and Vector Strings:
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected]
Weakness Enumeration
CWE-ID
CWE Name
Source
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Software Foundation
Change History
8 change records found show changes
CVE Modified by CISA-ADP
6/17/2026 3:15:26 AM
Action
Type
Old Value
New Value
Added
Affected
[{"vendor":"apache","product":"ofbiz","defaultStatus":"unknown","cpes":["cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThan":"18.12.12","versionType":"custom","status":"affected"}]}]
Added
SSVC
{"timestamp":"2024-08-29T14:49:41.208173Z","id":"CVE-2024-25065","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}
CVE Modified by Apache Software Foundation
6/17/2026 3:15:26 AM
Action
Type
Old Value
New Value
Added
Affected
[{"vendor":"Apache Software Foundation","product":"Apache OFBiz","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"18.12.12","versionType":"custom","status":"affected"}]}]
Initial Analysis by NIST
5/05/2025 5:02:31 PM
Action
Type
Old Value
New Value
Added
CPE Configuration
OR
*cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* versions up to (excluding) 18.12.12
Added
Reference Type
Apache Software Foundation: http://www.openwall.com/lists/oss-security/2024/02/28/10 Types: Mailing List
Added
Reference Type
Apache Software Foundation: https://issues.apache.org/jira/browse/OFBIZ-12887 Types: Issue Tracking
Added
Reference Type
Apache Software Foundation: https://lists.apache.org/thread/rplfjp7ppn9ro49oo7jsrpj99m113lfc Types: Mailing List
Added
Reference Type
Apache Software Foundation: https://ofbiz.apache.org/download.html Types: Product
Added
Reference Type
Apache Software Foundation: https://ofbiz.apache.org/release-notes-18.12.12.html Types: Release Notes
Added
Reference Type
Apache Software Foundation: https://ofbiz.apache.org/security.html Types: Vendor Advisory
Added
Reference Type
CVE: http://www.openwall.com/lists/oss-security/2024/02/28/10 Types: Mailing List
Added
Reference Type
CVE: https://issues.apache.org/jira/browse/OFBIZ-12887 Types: Issue Tracking
Added
Reference Type
CVE: https://lists.apache.org/thread/rplfjp7ppn9ro49oo7jsrpj99m113lfc Types: Mailing List
Added
Reference Type
CVE: https://ofbiz.apache.org/download.html Types: Product
Added
Reference Type
CVE: https://ofbiz.apache.org/release-notes-18.12.12.html Types: Release Notes
Added
Reference Type
CVE: https://ofbiz.apache.org/security.html Types: Vendor Advisory
CVE Modified by Apache Software Foundation
2/13/2025 1:17:13 PM
Action
Type
Old Value
New Value
Changed
Description
Possible path traversal in Apache OFBiz allowing authentication bypass.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.
Possible path traversal in Apache OFBiz allowing authentication bypass.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE Modified by CVE
11/21/2024 4:00:10 AM
Action
Type
Old Value
New Value
Added
Reference
http://www.openwall.com/lists/oss-security/2024/02/28/10
Added
Reference
https://issues.apache.org/jira/browse/OFBIZ-12887
Added
Reference
https://lists.apache.org/thread/rplfjp7ppn9ro49oo7jsrpj99m113lfc
Added
Reference
https://ofbiz.apache.org/download.html
Added
Reference
https://ofbiz.apache.org/release-notes-18.12.12.html
Added
Reference
https://ofbiz.apache.org/security.html
CVE Modified by CISA-ADP
8/29/2024 4:36:15 PM
Action
Type
Old Value
New Value
Added
CVSS V3.1
CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE Modified by Apache Software Foundation
5/14/2024 11:04:05 AM
Action
Type
Old Value
New Value
New CVE Received from Apache Software Foundation
2/28/2024 8:44:14 PM
Action
Type
Old Value
New Value
Added
Description
Possible path traversal in Apache OFBiz allowing authentication bypass.
Users are recommended to upgrade to version 18.12.12, that fixes the issue.
Added
CWE
Apache Software Foundation CWE-22
Added
Reference
Apache Software Foundation http://www.openwall.com/lists/oss-security/2024/02/28/10 [No types assigned]
Added
Reference
Apache Software Foundation https://issues.apache.org/jira/browse/OFBIZ-12887 [No types assigned]
Added
Reference
Apache Software Foundation https://lists.apache.org/thread/rplfjp7ppn9ro49oo7jsrpj99m113lfc [No types assigned]
Added
Reference
Apache Software Foundation https://ofbiz.apache.org/download.html [No types assigned]
Added
Reference
Apache Software Foundation https://ofbiz.apache.org/release-notes-18.12.12.html [No types assigned]
Added
Reference
Apache Software Foundation https://ofbiz.apache.org/security.html [No types assigned]
Quick Info
CVE Dictionary Entry: CVE-2024-25065 NVD
Published Date: 02/28/2024 NVD
Last Modified: 06/17/2026
Source: Apache Software Foundation
) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
