A new vulnerability has been discovered in the Apache ofbiz system, allowing attackers to remotely execute code on vulnerable instances of the program. The vulnerability, identified as CVE-2024-38856, has received a critical rating of 9.8 on the CVSS scale. The affected versions of Apache ofbiz range up to version 18.12.15.
Sonicwall, who discovered the vulnerability and reported it, pointed out that the issue lies in the authentication mechanism. This flaw enables unauthorized users to access functions that typically require system entry, thereby paving the way for remote code execution.
CVE-2024-38856 is also able to bypass the patch for vulnerability CVE-2024-36104, which involved a path bypass fixed in June 2024 with the release of version 18.12.14.
According to Sonicwall, the problem lies in the Override View function, which grants non-authorized users access to critical endpoints, allowing them to execute remote code through specially crafted requests.
Security researcher Hasib Vorus highlighted that access to the Programexport endpoint was granted without authentication, enabling attackers to utilize other endpoints that did not require authorization via the Override View function. The vulnerability has been patched in OFBIZ version 18.12.15 on Github.
While neither Apache representatives nor Sonicwall researchers provided clear information on the vulnerability’s operation prior to detection, it has been labeled as a zero-day gap. This indicates the urgency of updating to a secure version promptly, as attackers may already have a thorough understanding of how to exploit the vulnerability in real attacks.
These developments come amidst another critical vulnerability in OFBIZ, CVE-2024-32113, which is actively being utilized to expand the Mirai botnet. Despite the patch being