Apache OFBiz Replace Fixes Excessive-Severity Flaw Resulting in Distant Code Execution


Sep 06, 2024Ravie LakshmananCybersecurity / Vulnerability

A brand new safety flaw has been addressed within the Apache OFBiz open-source enterprise useful resource planning (ERP) system that, if efficiently exploited, may result in unauthenticated distant code execution on Linux and Home windows.

The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS rating: 7.5), impacts all variations of the software program earlier than 18.12.16.

Cybersecurity

“An attacker with no legitimate credentials exploit lacking view authorization checks within the internet software to execute arbitrary code on the server,” Rapid7 safety researcher Ryan Emmons said in a brand new report.

It is price noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which have been addressed by the undertaking maintainers over the previous few months.

Each CVE-2024-32113 and CVE-2024-38856 have since come below energetic exploitation within the wild, with the previous leveraged to deploy the Mirai botnet malware.

Rapid7 mentioned all three older shortcomings stem from the “capability to desynchronize the controller and look at map state,” an issue that was by no means totally remediated in any of the patches.

A consequence of the vulnerability is that it might be abused by attackers to execute code or SQL queries and obtain distant code execution sans authentication.

The most recent patch put in place “validates {that a} view ought to allow nameless entry if a consumer is unauthenticated, quite than performing authorization checks purely primarily based on the goal controller.”

Cybersecurity

Apache OFBiz model 18.12.16 additionally addresses a essential server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS rating: 9.8) that might result in unauthorized entry and system compromise by making the most of a specifically crafted URL.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *