{"id":"CVE-2024-38856","details":"Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).","modified":"2026-04-12T07:22:49.333692Z","published":"2024-08-05T09:15:56.780Z","references":[{"type":"WEB","url":"https://ofbiz.apache.org/download.html"},{"type":"ADVISORY","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/OFBIZ-13128"},{"type":"FIX","url":"https://ofbiz.apache.org/security.html"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/08/04/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ofbiz-framework","events":[{"introduced":"0"},{"fixed":"6c3b0068a99bb3b93321fdb983a0046b0679c86d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"18.12.15"}]}}],"versions":["release18.12.01","release18.12.02","release18.12.03","release18.12.04","release18.12.05","release18.12.12","release18.12.13","release18.12.14"],"database_specific":{"vanir_signatures":[{"id":"CVE-2024-38856-03c7d167","digest":{"line_hashes":["16237928801769355647919000095175284067","279097356743855932756619687220893319709","273185140359734659992900487972147521510","272830951868334040380757588277782715210","198115970284892576381814091129744175161","156801118489440031399249922660119204120","17419182794509903132157188192279864619","319171371338532270866278758939786887587","272505973760705412638679905762905969544","182861801311226970744323937573579066560"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Line"},{"id":"CVE-2024-38856-7550093e","digest":{"length":907,"function_hash":"289731587944239157478450005162939112262"},"signature_version":"v1","deprecated":false,"target":{"function":"ViewMap","file":"framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Function"},{"id":"CVE-2024-38856-805bb689","digest":{"line_hashes":["226720336440091456568055407268121400228","143080546213670749940831542994819412235","1868680413758454524348053782127259926","173130246160965080851195595369703173765","187400503843563474427066163369618456596","137948593440813080134710218417753856069","256459321338719085669855389801053403838","70267618819608495326245243460189652664","337270641275986671421375631470018528044","303241113400411699155420109973754893272","65229489003242147538656639975465287136","38769350571236847600693412600179347823","199178616298278916722095930772674720540","150385102235644132487182112455060085302","56773817233749987283973893043919928206","23469707285194751312439660564106769525","117363730291814426482816689471425138532","188143581695577658211745036958273071677","293400857134866993208488101898904196274","154191612978878504285967907407432258341","263274359243705375965483943012057223234","63238528625549451350539847244494150840","74512146229357788023298846025078597907","211129942122505838924169863251338612041","3900834991457700138899303516254445885","68920232806175318604197657785419106290","27519593302627289968737207598177662583","35329941838764983836804262232273083587","28846086343552447133845254914176141244"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Line"},{"id":"CVE-2024-38856-87749879","digest":{"length":20752,"function_hash":"127020776840894583888347848105549337837"},"signature_version":"v1","deprecated":false,"target":{"function":"doRequest","file":"framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Function"},{"id":"CVE-2024-38856-939d270a","digest":{"length":549,"function_hash":"252684546882370506403639156501137473225"},"signature_version":"v1","deprecated":false,"target":{"function":"resolveURIBasicOverrideView","file":"framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Function"},{"id":"CVE-2024-38856-c50e774b","digest":{"length":680,"function_hash":"49410172142283753758052014897718780082"},"signature_version":"v1","deprecated":false,"target":{"function":"resolveURI","file":"framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Function"},{"id":"CVE-2024-38856-ef9e4e6f","digest":{"line_hashes":["286477505649465832301079209369792175799","18324683007926061974728313524300451877","188663671449093183171970600071215843006","65308096173048705420922724742824449340","316030500068515158819464895025355409791","306611767280792831562221589684052443265","301506262570323668687688091640580230747","287383009294581322429732682768279092907","291907097562093325603956982556486697276","295079923233464330274413188492142325479","78793336910171886003253462130962246282"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java"},"source":"https://github.com/apache/ofbiz-framework/commit/6c3b0068a99bb3b93321fdb983a0046b0679c86d","signature_type":"Line"}],"vanir_signatures_modified":"2026-04-12T07:22:49Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38856.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}