CVE-2024-36104 – This path traversal vulnerability in Apache OFB... (How to Fix)

📋 TL;DR

This path traversal vulnerability in Apache OFBiz allows attackers to access files outside the intended directory. It affects all Apache OFBiz installations before version 18.12.14. Attackers could potentially read sensitive files or execute arbitrary code.

💻 Affected Systems

Products:

Apache OFBiz

Versions: All versions before 18.12.14

Operating Systems: All platforms running Apache OFBiz

Default Config Vulnerable: ⚠️ Yes

Notes: All Apache OFBiz deployments with default configurations are vulnerable.

📦 What is this software?

Ofbiz by Apache

View all CVEs affecting Ofbiz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file read/write leading to remote code execution and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive configuration files, credentials, or application data stored on the server.

🟢

If Mitigated

Limited impact if proper file system permissions and web server restrictions are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity and may be exploited without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.12.14

Vendor Advisory: https://ofbiz.apache.org/security.html

Restart Required: Yes

Instructions:

1. Download Apache OFBiz 18.12.14 from https://ofbiz.apache.org/download.html
2. Backup current installation and data
3. Deploy new version following Apache OFBiz upgrade procedures
4. Restart the OFBiz service

🔧 Temporary Workarounds

Web Application Firewall Rules

all

Implement WAF rules to block path traversal patterns like '../' and directory traversal attempts

File System Restrictions

all

Configure web server to restrict access to parent directories and implement proper file permissions

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to OFBiz instances
Deploy web application firewall with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check Apache OFBiz version. If version is below 18.12.14, the system is vulnerable.

Check Version:

Check OFBiz version in web interface or examine version files in installation directory

Verify Fix Applied:

Verify version is 18.12.14 or higher and test path traversal attempts are properly blocked.

📡 Detection & Monitoring

Log Indicators:

Multiple failed file access attempts with '../' patterns
Unusual file access patterns from single IP addresses

Network Indicators:

HTTP requests containing '../' or directory traversal sequences
Unusual file extension requests

SIEM Query:

web.url:*../* OR web.uri:*../*

📊 Metadata

CVE ID: CVE-2024-36104

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: June 4, 2024

Last Updated: July 1, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/06/03/1 Mailing List
https://issues.apache.org/jira/browse/OFBIZ-13092 Issue Tracking
https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o Mailing List,Release Notes
https://ofbiz.apache.org/download.html Product
https://ofbiz.apache.org/security.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/06/03/1 Mailing List
https://issues.apache.org/jira/browse/OFBIZ-13092 Issue Tracking
https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o Mailing List,Release Notes
https://ofbiz.apache.org/download.html Product
https://ofbiz.apache.org/security.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36104, you might also want to check these: