CVE-2022-25371 Unauth Path Traversal with file corruption affecting the Birt plugin of Apache OFBiz

2022-09-0207:10:17

CWE-22

apache

www.cve.org

cve-2022-25371

unauthenticated path traversal

file corruption

apache ofbiz

birt plugin

remote code execution

9.9 High

AI Score

Confidence

High

0.025 Low

EPSS

Percentile

90.2%

JSON

Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier.

CNA Affected

[
  {
    "product": "Apache OFBiz",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "18.12.05",
        "status": "affected",
        "version": "Apache OFBiz",
        "versionType": "custom"
      }
    ]
  }
]