Search
On this page ▾
CVE-2024-32113 — Apache OFBiz Path Traversal Vulnerability

CVE-2024-32113

Apache OFBiz — Path Traversal Bypasses Auth to ProgramExport Groovy RCE Endpoint; CVSS 9.8; Fixed 18.12.13; Bypassed by CVE-2024-38856
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Apache OFBiz?

Apache OFBiz (Open For Business) is an open-source enterprise ERP and CRM framework used to build e-commerce applications, order management systems, and business process automation solutions. See CVE-2024-38856 for full product context. In brief: OFBiz's ProgramExport endpoint — which executes arbitrary Groovy code — has been the primary attack surface for multiple critical OFBiz vulnerabilities. Authentication bypasses that reach ProgramExport result in immediate unauthenticated RCE because the endpoint has no further input validation once authentication is cleared.

Overview

CVE-2024-32113 is a path traversal vulnerability (CWE-22) in Apache OFBiz that allows an unauthenticated attacker to bypass authentication and access the ProgramExport endpoint, which then executes arbitrary Groovy code. The path traversal manipulates the URL to bypass OFBiz's per-view authentication enforcement. After Apache released OFBiz 18.12.13 with a fix in May 2024, CISA added it to the KEV catalog in August 2024 after confirmed active exploitation. However, the fix was incomplete — CVE-2024-38856 (August 2024) is a patch bypass using a different technique (view override) to reach ProgramExport, requiring OFBiz 18.12.15 to fully close this class of vulnerability.

Affected Versions

Product Vulnerable Fixed
Apache OFBiz < 18.12.13 18.12.13 (for this CVE)
Apache OFBiz < 18.12.15 18.12.15 (for complete fix including CVE-2024-38856 bypass)

Technical Details

The path traversal (CWE-22) exploits OFBiz's URL routing and authentication model. OFBiz maps URLs in the form /webtools/control/<viewName> to view handlers, with per-view security checks. The authentication check determines which views require login based on the URL path.

Traversal mechanism: By inserting /../ or other path traversal sequences into the URL, an attacker can cause the router to reach the ProgramExport handler via a path that is not subject to the normal authentication enforcement. For example, a crafted URL like:

/webtools/control/ProgramExport;jsessionid=x?USERNAME=&PASSWORD=&requirePasswordChange=Y

or path traversal variants that bypass the security check.

ProgramExport execution: Once the endpoint is reached without authentication, the attacker supplies a groovyProgram POST parameter containing Groovy code. OFBiz executes the Groovy script server-side, achieving arbitrary OS command execution in the context of the OFBiz application server process.

Relationship to CVE-2024-38856: The August 2024 patch (18.12.15) addressed both CVE-2024-32113 and the view-override bypass technique discovered in CVE-2024-38856. Organizations that patched to 18.12.13 (fixing CVE-2024-32113) but did not upgrade to 18.12.15 remained vulnerable to CVE-2024-38856.

Discovery

The vulnerability was independently identified by multiple researchers tracking OFBiz's ProgramExport endpoint as an attack surface. The path traversal technique for reaching ProgramExport was known in the OFBiz security community prior to formal CVE publication.

Exploitation Context

CISA added CVE-2024-32113 to the KEV catalog on August 7, 2024 — three months after the May 2024 fix — confirming ongoing exploitation of unpatched OFBiz instances. Mass scanning for OFBiz's ProgramExport endpoint was observed throughout 2024, with multiple threat actors including financially motivated groups targeting e-commerce OFBiz deployments for credit card theft and server compromise.

Remediation

  1. Upgrade to Apache OFBiz 18.12.15 or later — this version addresses both CVE-2024-32113 and the patch bypass CVE-2024-38856. The CISA deadline for this CVE was August 28, 2024.
  2. Do not stop at 18.12.13 — 18.12.13 fixes CVE-2024-32113 but CVE-2024-38856 bypasses that fix via a different technique; 18.12.15 is the minimum fully-patched version.
  3. Restrict internet access to OFBiz admin and webtools paths — the /webtools/control/ path should not be publicly accessible without IP restriction or authentication proxy in front.
  4. Block POST requests to /webtools/control/ProgramExport at the WAF or load balancer level from any non-administrative IP ranges.
  5. Audit OFBiz server logs for POST requests to ProgramExport-related endpoints with unusual parameters.
  6. Check for dropped files in the OFBiz application directory — web shells or backdoor scripts are a common exploitation artifact.

Key Details

PropertyValue
CVE ID CVE-2024-32113
Vendor / Product Apache — OFBiz
NVD Published2024-05-08
NVD Last Modified2025-10-23
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-22 find similar ↗
CISA KEV Added2024-08-07
CISA KEV Deadline2024-08-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-08-28. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-05-08CVE published; Apache OFBiz 18.12.13 released with fix
2024-08-07CISA adds to KEV (active exploitation confirmed, 3 months after patch)
2024-08-28CISA BOD 22-01 remediation deadline
2024-08-05CVE-2024-38856 published — patch bypass requiring OFBiz 18.12.15

References

ResourceType
Apache OFBiz Security Advisory — CVE-2024-32113 Vendor Advisory
GitHub Security Advisory GHSA-xv8x-pr4h-73jm Vendor Advisory
NVD — CVE-2024-32113 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML