Apache OFBiz: RCE Vulnerability in scrum plugin_CVE-2025-54466

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.

This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.

Even unauthenticated attackers can exploit this vulnerability.

Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Basic Information

ID CVE-2025-54466

Source apache

Published Aug 15, 2025 at 14:13

Modified Aug 15, 2025 at 19:04

Affected Product

Vendor Apache Software Foundation

Product Apache OFBiz

Affected Versions Apache Software Foundation Apache OFBiz 0

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue.",
    "published": "2025-08-15T14:13:52.584Z",
    "modified": "2025-08-15T19:04:47.346Z",
    "type": "cve",
    "title": "Apache OFBiz: RCE Vulnerability in scrum plugin",
    "source": "apache",
    "references": "https://ofbiz.apache.org/download.html\nhttps://ofbiz.apache.org/security.html\nhttps://ofbiz.apache.org/release-notes-24.09.02.html\nhttps://issues.apache.org/jira/browse/OFBIZ-13276\nhttps://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915",
    "id": "CVE-2025-54466",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache OFBiz 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache OFBiz",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}