A brand new zero-day pre-authentication distant code execution vulnerability has been disclosed within the Apache OFBiz open-source enterprise useful resource planning (ERP) system that might permit menace actors to realize distant code execution on affected cases.
Tracked as CVE-2024-38856, the flaw has a CVSS rating of 9.8 out of a most of 10.0. It impacts Apache OFBiz variations previous to 18.12.15.
“The foundation reason behind the vulnerability lies in a flaw within the authentication mechanism,” SonicWall, which found and reported the shortcoming, stated in a press release.
“This flaw permits an unauthenticated consumer to entry functionalities that usually require the consumer to be logged in, paving the way in which for distant code execution.”
CVE-2024-38856 can also be a patch bypass for CVE-2024-36104, a path traversal vulnerability that was addressed in early June with the discharge of 18.12.14.
SonicWall described the flaw as residing within the override view performance that exposes crucial endpoints to unauthenticated menace actors, who may leverage it to realize distant code execution through specifically crafted requests.
“Unauthenticated entry was allowed to the ProgramExport endpoint by chaining it with another endpoints that don’t require authentication by abusing the override view performance,” security researcher Hasib Vhora stated.
The event comes as one other crucial path traversal vulnerability in OFBiz that might lead to distant code execution (CVE-2024-32113) has since come beneath energetic exploitation to deploy the Mirai botnet. It was patched in Could 2024.
In December 2023, SonicWall additionally disclosed a then-zero-day flaw in the identical software program (CVE-2023-51467) that made it potential to bypass authentication protections. It was subsequently subjected to a lot of exploitation makes an attempt.