A dangerous security hole has popped up in the Apache OFBiz open-source ERP system. This bug could let hackers run code on affected systems without the need to log in. Known as CVE-2024-38856, this flaw has a scary CVSS score of 9.8 out of 10.0. It affects Apache OFBiz versions before 18.12.15.
Discovered and reported by SonicWall, this vulnerability is a result of a fundamental weakness in the system’s access control mechanism. This flaw allows unauthorized individuals to gain access to parts of the system intended for authenticated users, potentially leading to remote code execution.
CVE-2024-38856 acts as a way around CVE-2024-36104, a path traversal weakness fixed in version 18.12.14 released at the start of June. This new flaw takes advantage of the override view feature leaving key endpoints open to hackers without login credentials. These attackers might run code from afar using designed requests.
Security expert Hasib Vhora shed light on how to exploit this weakness. He explained that people could get into the ProgramExport endpoint without logging in by linking it with other endpoints that don’t need authentication, making use of the override view feature.
This discovery comes after another serious flaw in OFBiz (CVE-2024-32113), which was fixed in May 2024, which hackers have been using to spread the Mirai botnet. Also, in December 2023, SonicWall revealed a zero-day bug (CVE-2023-51467) in OFBiz that let attackers bypass authentication, leading to many hacking attempts.
These frequent flaws in Apache OFBiz show the ongoing security issues open-source ERP systems face. They also stress how crucial it is for companies using such software to patch and keep a close eye on security.
