CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability
Severity: critical Affected versions: - Apache OFBiz before 18.12.11 Description: The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF) This issue is being tracked as OFBIZ-12873 Credit: Hasib Vhora, Senior Threat Researcher, SonicWall (finder) Gao Tian (finder) L0ne1y (finder) References: https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-18.12.11.html https://issues.apache.org/jira/browse/OFBIZ-12873 https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-51467 https://issues.apache.org/jira/browse/OFBIZ-12873
CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack
Severity: important Affected versions: - Apache OFBiz through 18.12.10 Description: Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. Credit: Yun Peng - 郭 运鹏 (finder) References: https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-18.12.11.html https://issues.apache.org/jira/browse/OFBIZ-12875 https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-50968
Re: SvnCheckout Gradle plugin soon no longer usable with GitHub
Hi, Though I believe we should get rid of the Gradle pullPluginSource and pullAllPluginsSource tasks, this morning I tried to implement them using the OS scripts for pullPluginSource and pullAllPluginsSource w/o success. If someone is interested I can put the diff at OFBIZ-12868 Juste let me know... Jacques Le 23/12/2023 à 12:13, Jacques Le Roux a écrit : Hi, OK, we need more effort here because GH and BB will break at January 8, 2024 and we need to test the changes before... In other words we have at most 2 weeks available... I have one question. It seems to me that the Gradle "installPlugin" task, called by the pullPluginSource and pullAllPluginsSource tasks, is not implement in any OOTB plugin. I ask this question because, if it eventually unused, it's quite easier and especially efficient/faster to use simple OS scripts than Gradle tasks for pullPluginSource and pullAllPluginsSource Jacques Le 01/12/2023 à 11:18, Jacques Le Roux a écrit : Hi, I have created https://issues.apache.org/jira/browse/OFBIZ-12868 for that... WIP... HTH Jacques Le 27/11/2023 à 13:41, Jacques Le Roux a écrit : Hi, As you may have noticed*, the SvnCheckout Gradle plugin will not be usable after January 8, 2024. So we need a replacement and it's clearly suggested by GitHub in the link below Jacques * https://lists.apache.org/thread/08kwg2ovjt4qyfybhf1qzsvq42jsy2wz
Re: SvnCheckout Gradle plugin soon no longer usable with GitHub
Hi Eugen, Inline... Le 24/12/2023 à 12:05, Jacques Le Roux a écrit : Hi Eugen, This said I was reading https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz and stumbled upon https://github.com/apache/ofbiz-tools/blob/master/demo-backup/README.md Obviously some parts are obsolete since we rely now on Docker for demos. Could you please review and possibly amend? Please forgot that, I'll handle it. Jacques
Re: SvnCheckout Gradle plugin soon no longer usable with GitHub
Thanks Daniel! Jacques Le 26/12/2023 à 08:17, Daniel Watford a écrit : Hi Jacques, Dropping the pullAllPluginsSource gradle task will have the benefit of simplifying the building of docker images. Please see the comment on the topic here: https://github.com/apache/ofbiz-framework/blob/0530a58d3a912520b7f9e46c5ccde98fd3737bf5/.github/workflows/docker-image.yaml#L126 I'll create and work a ticket over the next few days to amend the docker image build process to use a git clone/checkout of the ofbiz-plugins repository rather than use the pullAllPluginsSoruce gradle task. The ticket will apply to the trunk, release18.12 and release22.01 branches. Thanks, Dan. On Mon, 25 Dec 2023 at 08:34, Jacques Le Roux wrote: Hi Eugen, Daniel, Le 24/12/2023 à 12:05, Jacques Le Roux a écrit : Last but not least, I guess we will need very soon to change something in Docker config for demos ; since pullAllPluginsSource relies on soon not usable SvnCheckout plugin? Actually this last sentence was more directed to Daniel