Identity
Authentication bypass likely with new critical Apache OFBiz zero-day
Threat actors could evade authentication protections in Apache's OFBiz enterprise resource planning system by abusing a novel critical zero-day flaw, tracked as CVE-2023-51467, reports The Hacker News.
Exploiting the vulnerability within OFBiz's login functionality entails invalid USERNAME and PASSWORD inputs in HTTP requests to yield a successful authentication message, which is facilitated by the "Y" or yes input for the "requirePasswordChange" parameter, according to a report from the SonicWall Capture Labs threat research team, who discovered the flaw. Such a bug was noted to have stemmed from incomplete remediation of another critical Apache OFBiz flaw, tracked as CVE-2023-49070. "The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," said researchers. Immediate updates to Apache OFBiz versions 18.12.11 or later have been urged by researchers to prevent potential compromise using the vulnerabilities.
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds