Skip to main content

Apache fixes critical OFBiz remote code execution vulnerability

  • 5 September 2024
  • 0 replies
  • 2 views

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

September 5, 2024 By Sergiu Gatlan 

 

Apache

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.

OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.

Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.

"An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.

The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.

 

>>Full Article<<

0 replies

Be the first to reply!

Reply