New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution
- Publication Date :
- Last updated:2024-10-07
- View count:122
A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances.
Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15.
"The root cause of the vulnerability lies in a flaw in the authentication mechanism," SonicWall, which discovered and reported the shortcoming, said in a statement.
"This flaw allows an unauthenticated user to access functionalities that generally require the user to be logged in, paving the way for remote code execution."
CVE-2024-38856 is also a patch bypass for CVE-2024-36104, a path traversal vulnerability that was addressed in early June with the release of 18.12.14.
SonicWall described the flaw as residing in the override view functionality that exposes critical endpoints to unauthenticated threat actors, who could leverage it to achieve remote code execution via specially crafted requests.
"Unauthenticated access was allowed to the ProgramExport endpoint by chaining it with any other endpoints that do not require authentication by abusing the override view functionality," security researcher Hasib Vhora said.