In the Apache OFBIZ system, which is widely used to plan the resources of the enterprise (ERP), a critical Zero-day vulnerability was discovered. It allows you to bypass authentication systems and exposes the business of many enterprises to the real risk of cyberatack.
Sonicwall research group discovered a vulnerability, which received the designation CVE-2023-51467. The problem is associated with the function of entering the system and is a consequence of the incomplete correction of the previous critical vulnerability CVE-2023-49070, the correction of which was issued earlier this month.
CVE-2023-49070 is a vulnerability that allows you to remotely execute the code without authentication. It affects the version until 12/18/10 and can lead to complete control of the server and theft of confidential data. The problem is caused by an obsolete XML-RPC component in Apache OFBIZ.
CVE-2023-51467 is activated using empty or invalid parameters of Username and Password in the HTTP request, which leads to a message about successful authentication. This allows attackers to access internal resources.
The attack depends on the fact that the “Requirepasswordchange” parameter is set to “y” (yes) in the URL, which allows you to bypass the authentication regardless of the user data and password.
The American national vulnerability database (NVD) states that the vulnerability allows you to bypass authentication and leads to vulnerability for server falsification of requests (SSRF).
Apache OFBIZ systems are strongly recommended to be updated to version 18.12.11 or newer to eliminate potential threats.