HomeVulnerabilityImportant Zero-Day in Apache OfBiz ERP System Exposes Companies to Attack

Important Zero-Day in Apache OfBiz ERP System Exposes Companies to Attack

A brand new zero-day security flaw has been found within the Apache OfBiz, an open-source Enterprise Useful resource Planning (ERP) system that might be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides within the login performance and is the results of an incomplete patch for an additional essential vulnerability (CVE-2023-49070, CVSS rating: 9.8) that was launched earlier this month.

“The security measures taken to patch CVE-2023-49070 left the basis subject intact and subsequently the authentication bypass was nonetheless current,” the SonicWall Seize Labs menace analysis crew, which found the bug, mentioned in a press release shared with The Hacker Information.

Apache OfBiz ERP

CVE-2023-49070 refers to a pre-authenticated distant code execution flaw impacting variations previous to 18.12.10 that, when efficiently exploited, may permit menace actors to realize full management over the server and siphon delicate knowledge. It’s brought on attributable to a deprecated XML-RPC element inside Apache OFBiz.

In keeping with SonicWall, CVE-2023-51467 might be triggered utilizing empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, successfully circumventing the safety and enabling a menace actor to entry in any other case unauthorized inside sources.

See also  Apple backports BLASTPASS zero-day repair to older iPhones

The assault hinges on the truth that the parameter “requirePasswordChange” is about to “Y” (i.e., sure) within the URL, inflicting the authentication to be trivially bypassed whatever the values handed within the username and password fields.

“The vulnerability permits attackers to bypass authentication to realize a easy Server-Aspect Request Forgery (SSRF),” based on an outline of the flaw on the NIST Nationwide Vulnerability Database (NVD).

Customers who depend on Apache OFbiz to replace to model 18.12.11 or later as quickly as doable to mitigate any potential threats.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular