Vulnerability Management, Patch/Configuration Management

Critical Apache OFBiz flaw patched

Share
Apache HTTP Server website (www.apache.org) displayed on smartphone

BleepingComputer reports that updates have been provided by Apache to address a critical flaw in its open-source enterprise resource planning system OFBiz, tracked as CVE-2024-45195, which could be leveraged to facilitate arbitrary code execution on Windows and Linux servers.

Such a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers, who also provided a proof-of-concept exploit for the latest flaw. "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," said Rapid7 researcher Ryan Emmons. The development comes nearly a month after the discovery of attacks leveraging CVE-2024-32113, prompting its inclusion into the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.