A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.
The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.
“An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server,” Rapid7 security researcher Ryan Emmons said in a new report.
It’s worth noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months.
Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware.
Rapid7 said all three older shortcomings stem from the “ability to desynchronize the controller and view map state,” a problem that was never fully remediated in any of the patches.
A consequence of the vulnerability is that it could be abused by attackers to execute code or SQL queries and achieve remote code execution sans authentication.
The latest patch put in place “validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller.”
Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could lead to unauthorized access and system compromise by taking advantage of a specially crafted URL.
