CVE-2024-45195 – This CVE describes a Direct Request (Forced Bro... (How to Fix)

📋 TL;DR

This CVE describes a Direct Request (Forced Browsing) vulnerability in Apache OFBiz that allows attackers to access restricted resources by directly requesting URLs without proper authorization. It affects all Apache OFBiz deployments before version 18.12.16. This vulnerability could lead to unauthorized access to sensitive data or functionality.

💻 Affected Systems

Products:

Apache OFBiz

Versions: All versions before 18.12.16

Operating Systems: All platforms running Apache OFBiz

Default Config Vulnerable: ⚠️ Yes

Notes: All Apache OFBiz deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Ofbiz by Apache

View all CVEs affecting Ofbiz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access administrative interfaces, sensitive business data, or perform unauthorized operations leading to data breach or system compromise.

🟠

Likely Case

Unauthorized access to restricted application resources, potentially exposing sensitive business information or allowing privilege escalation.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the application layer only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct request vulnerabilities typically require minimal technical skill to exploit once target URLs are identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.12.16

Vendor Advisory: https://ofbiz.apache.org/security.html

Restart Required: Yes

Instructions:

1. Download Apache OFBiz 18.12.16 from https://ofbiz.apache.org/download.html
2. Backup current installation and data
3. Deploy new version following Apache OFBiz upgrade procedures
4. Restart the application server

🔧 Temporary Workarounds

Web Application Firewall Rules

all

Implement WAF rules to block direct access to known restricted paths

Network Access Controls

all

Restrict access to OFBiz application to authorized users only

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to OFBiz
Deploy web application firewall with rules to detect and block forced browsing attempts

🔍 How to Verify

Check if Vulnerable:

Check Apache OFBiz version; if below 18.12.16, system is vulnerable

Check Version:

Check OFBIZ_HOME/buildversion.txt or application startup logs

Verify Fix Applied:

Verify version is 18.12.16 or higher and test restricted endpoints are properly protected

📡 Detection & Monitoring

Log Indicators:

Multiple 403/404 errors for restricted paths from single IP
Unusual access patterns to administrative URLs

Network Indicators:

HTTP requests to known restricted endpoints without prior authentication

SIEM Query:

source="apache-ofbiz" AND (status=403 OR status=404) AND uri CONTAINS "/admin" OR uri CONTAINS "/control"

📊 Metadata

CVE ID: CVE-2024-45195

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-425

Published: September 4, 2024

Last Updated: October 23, 2025

🔗 References

https://issues.apache.org/jira/browse/OFBIZ-13130 Issue Tracking,Vendor Advisory
https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy Vendor Advisory
https://ofbiz.apache.org/download.html Product
https://ofbiz.apache.org/security.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/09/03/6 Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45195, you might also want to check these: