Headline
CVE-2023-46819: The Apache OFBiz® Project - Downloads
Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.
Users are recommended to upgrade to version 18.12.09
Download Apache OFBiz
Use the links below to download Apache OFBiz releases from the “Apache Download Mirrors” page. The download page also includes instructions on how to verify the integrity of the release file using the signature and hash (PGP, SHA512) available for each release. If you need more information about why and how to verify the integrity of the release file this → page is what you look for
Then, to install OFBiz, follow the explanations in the “INSTALL” file found in the just downloaded/extracted OFBiz main directory.
PLEASE NOTE: Despite our best efforts to maintain up to three active release branches, support for older branches can decrease because our project volunteers may be focused on other issues. We recommend using releases from the most recent branch wherever possible.
NOTE: To minimize the risk of security vulnerabilities the Apache OFBiz community highly recommends that all users upgrade to the latest stable release.
The history of security related fixes included in each release is available here
Apache OFBiz 18.12.09
Released on November 2023, this is the ninth release of the 18.12 series, that has been stabilized since December 2018.
Download OFBiz 18.12.09 [PGP] [SHA512] [KEYS] [Release Notes]
We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either [email protected] or [email protected]), before disclosing them in a public forum. Please don’t pack several vulnerabilities in the same report, send them one by one, thanks in advance.
Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. Rather create bugs reports in our issue tracker (Jira) for that. Please don’t create Jira issues for unauth (aka pre-auth) reports, thanks in advance.
One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because we highly suggest to OFBiz users to not use credentials demo in production and we expect OFBiz users to do so. We also warn our users on the "Keeping OFBiz secure wiki page". And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.
Earlier Releases
Older superseded releases of Apache OFBiz can be found in the Apache OFBiz archive
A description of each release in the history of OFBiz can be found here