CVE-2024-38856

Name: CVE-2024-38856
Creator: NVD / NIST
Published: 2024-08-05T09:15:56.78+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.43%

Last modified Jun 17, 2026

CVE-2024-38856 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.43% chance of exploitation in the next 30 days.

Description

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.43%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Sep 17, 2024.

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Apache	Ofbiz	< 18.12.15

References

https://issues.apache.org/jira/browse/OFBIZ-13128Issue Tracking
https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7wMailing List, Vendor Advisory
https://ofbiz.apache.org/download.htmlProduct
https://ofbiz.apache.org/security.htmlPatch
http://www.openwall.com/lists/oss-security/2024/08/04/1Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856Third Party Advisory, US Government Resource

Timeline

Published: Aug 5, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-38856?

How severe is CVE-2024-38856?

CVE-2024-38856 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.43% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2024-38856?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-38856?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST