LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Apache fixed a new remote code execution flaw in Apache OFBiz

1 week ago 20
BOOK THIS SPACE FOR AD
ARTICLE AD

Apache fixed a new remote code execution flaw in Apache OFBiz

Pierluigi Paganini September 06, 2024

Apache addressed a remote code execution vulnerability affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.

Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.

Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business applications.

The vulnerability is a Direct Request (‘Forced Browsing’) issue in Apache OFBiz. This flaw affects all versions of the software before 18.12.16.

“Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server.” reads the analysis published by Rapid7. “Exploitation is facilitated by bypassing previous patches for CVE-2024-32113CVE-2024-36104, and CVE-2024-38856; this patch bypass vulnerability is tracked as CVE-2024-45195.”

Rapid7 pointed out that all three previous vulnerabilities stemmed from a shared issue: the ability to desynchronize the controller and view map state. None of the patches fully resolved this issue.

The vulnerability allowed authenticated threat actors to execute code or SQL queries, leading to remote code execution. The latest patch addresses this by ensuring that anonymous access is only permitted if the user is unauthenticated, rather than relying solely on authorization checks based on the target controller.

“In this patch, authorization checks were implemented for the view. This change validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller.” concludes Rapid7. “OFBiz users should update to the fixed version as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache OFBiz) 

Read Entire Article
  3. Apache fixed a new remote code execution flaw in Apache OFBiz

Related

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 11

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 11

Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION

GitLab fixed a critical flaw in GitLab CE and GitLab EE

GitLab fixed a critical flaw in GitLab CE and GitLab EE

New Linux malware called Hadooken targets Oracle WebLogic servers

New Linux malware called Hadooken targets Oracle WebLogic servers

Lehigh Valley Health Network hospital network has agreed to a $65 million settlement after data breach

Lehigh Valley Health Network hospital network has agreed to a $65 million settlement after data breach

Cybersecurity giant Fortinet discloses a data breach

Cybersecurity giant Fortinet discloses a data breach

Trending

1. Baskin-Robbins
2. Choreographer Jani Master
3. Asian Champions Trophy hockey
4. Motorola Edge 50 Neo
5. Champions League
6. Arkade Developers
7. Shogun
8. RG Kar CBI
9. Anant Chaturdashi
10. Aditi Rao Hydari

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved