Headline
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.
"An attacker with no valid
Cybersecurity / Vulnerability
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.
The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.
“An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server,” Rapid7 security researcher Ryan Emmons said in a new report.
It’s worth noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months.
Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware.
Rapid7 said all three older shortcomings stem from the “ability to desynchronize the controller and view map state,” a problem that was never fully remediated in any of the patches.
A consequence of the vulnerability is that it could be abused by attackers to execute code or SQL queries and achieve remote code execution sans authentication.
The latest patch put in place “validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller.”
Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could lead to unauthorized access and system compromise by taking advantage of a specially crafted URL.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, known as CVE-2024-38856, carries a CVSS score of 9.8, indicating critical severity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, known as CVE-2024-38856, carries a CVSS score of 9.8, indicating critical severity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, known as CVE-2024-38856, carries a CVSS score of 9.8, indicating critical severity.
A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances. Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15. "The
A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances. Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15. "The
A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances. Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15. "The
The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers.
Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.