A new security flaw has appeared addressed in the Apache OFBiz open source enterprise resource planning (ERP) system, which, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.
A high severity vulnerability tracked as CVE-2024-45195 (CVSS score: 7.5), affects all software versions until 12/18/16.
“An attacker without valid credentials exploits missing browser authorization checks in a web application to execute arbitrary code on the server,” Ryan Emmons, Rapid7 Security Researcher. said in a new report.
It should be noted that CVE-2024-45195 is a workaround for a sequence of questionsCVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which have been addressed by the project developers over the past few months.
Both CVE-2024-32113 and CVE-2024-38856 have since been actively exploited in the wild, with the former being used to deploy the Mirai botnet malware.
Rapid7 said that all three old flaws stemmed from “the ability to desync the controller and view map state,” an issue that was never fully fixed in any of the patches.
A consequence of the vulnerability is that it could be exploited by attackers to execute code or SQL queries and achieve remote code execution without authentication.
The latest patch “confirms that the view should allow anonymous access if the user is not authenticated, rather than performing authorization checks solely based on the target controller.”
Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507CVSS score: 9.8), which can lead to unauthorized access and system hacking through the use of a specially crafted URL.
