Authentication bypass likely with new critical Apache OFBiz zero-day

Threat actors could evade authentication protections in Apache's OFBiz enterprise resource planning system by abusing a novel critical zero-day flaw, tracked as CVE-2023-51467, reports The Hacker News. Exploiting the vulnerability within OFBiz's login functionality entails invalid USERNAME and PASSWORD inputs in HTTP requests to yield a successful authentication message, which is facilitated by the "Y" or yes input for the "requirePasswordChange" parameter, according to a report from the SonicWall Capture Labs threat research team, who discovered the flaw. Such a bug was noted to have stemmed from incomplete remediation of another critical Apache OFBiz flaw, tracked as CVE-2023-49070. "The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," said researchers. Immediate updates to Apache OFBiz versions 18.12.11 or later have been urged by researchers to prevent potential compromise using the vulnerabilities.