CVE-2025-54466

Опубликовано: 15 авг. 2025

Источник: nvd

CVSS3: 9.8

CVSS3: 6.3

EPSS Низкий

Описание

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.

This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.

Even unauthenticated attackers can exploit this vulnerability.

Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Ссылки

https://issues.apache.org/jira/browse/OFBIZ-13276
Patch
https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915
Mailing List
Third Party Advisory
https://ofbiz.apache.org/download.html
Product
https://ofbiz.apache.org/release-notes-24.09.02.html
Release Notes
https://ofbiz.apache.org/security.html
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/08/05/1

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Версия до 24.09.02 (исключая)

EPSS

Процентиль: 36%

0.00155

Низкий

9.8 Critical

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-7vg9-49f9-pfxr

CVSS3: 6.3

github

6 месяцев назад

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

EPSS

Процентиль: 36%

0.00155

Низкий

9.8 Critical

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-94