CVE 2024 38856: Pre Auth RCE Vulnerability in Apache OFBiz

In the previous vulnerability, CVE-2024-36104, Apache OFBiz was found to have a flaw that enabled remote attackers to access system directories due to inadequate validation of user requests. Exploiting this flaw involved sending a malformed URL containing '' sequences, which could result in the execution of arbitrary code on the system.

An example of a malformed POST request and request-body is shown below.

In the figure below, the example malformed request is shown. This request includes a command '' that is being executed, and the resulting output of the command is displayed in the error message. The output of the command is highlighted in the green box.

Figure 1: An example of a POST request related to CVE-2024-36104. The request includes an encoded request body, along with its corresponding output.

The most recent vulnerability, CVE-2024-38856, permits unauthorized access to the endpoint without the need for a path traversal vector. This means that access is granted even when it should have been restricted.

The figure below shows an attack chain exploiting CVE-2024-38856.

Figure 2: The attack chain depicting an attacker exploiting CVE-2024-38856.

The figure below shows the malformed request, withouta path traversal vector, being executed, and the resulting output of the command is displayed in the error message.

Figure 3: An example of a POST request related to CVE-2024-38856. The request includes an encoded request body, and the output associated with it.

Further investigation revealed that unauthenticated access to the endpoint was possible by combining it with any other endpoint that does not require authentication. Examples of such endpoints include:

URLs that could be used to exploit this vulnerability are:

Public link

Please use the above public link if you want to share this noodl on another website.