A brand new zero-day security flaw has been found within the Apache OfBiz, an open-source Enterprise Useful resource Planning (ERP) system that might be exploited to bypass authentication protections.
The vulnerability, tracked as CVE-2023-51467, resides within the login performance and is the results of an incomplete patch for an additional essential vulnerability (CVE-2023-49070, CVSS rating: 9.8) that was launched earlier this month.
“The security measures taken to patch CVE-2023-49070 left the basis subject intact and subsequently the authentication bypass was nonetheless current,” the SonicWall Seize Labs menace analysis crew, which found the bug, mentioned in a press release shared with The Hacker Information.
CVE-2023-49070 refers to a pre-authenticated distant code execution flaw impacting variations previous to 18.12.10 that, when efficiently exploited, may permit menace actors to realize full management over the server and siphon delicate knowledge. It’s brought on attributable to a deprecated XML-RPC element inside Apache OFBiz.
In keeping with SonicWall, CVE-2023-51467 might be triggered utilizing empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, successfully circumventing the safety and enabling a menace actor to entry in any other case unauthorized inside sources.
The assault hinges on the truth that the parameter “requirePasswordChange” is about to “Y” (i.e., sure) within the URL, inflicting the authentication to be trivially bypassed whatever the values handed within the username and password fields.
“The vulnerability permits attackers to bypass authentication to realize a easy Server-Aspect Request Forgery (SSRF),” based on an outline of the flaw on the NIST Nationwide Vulnerability Database (NVD).
Customers who depend on Apache OFbiz to replace to model 18.12.11 or later as quickly as doable to mitigate any potential threats.
