Researchers uncovered a critical authentication bypass zero-day flaw tracked as CVE-2023-51467, with a CVSS score of 9.8 affecting Apache OFBiz's open-source enterprise resource planning system.
The vulnerability allows attackers to bypass simple Server-Side Request Forgery authentication.
The pre-authenticated RCE vulnerability tracked as CVE-2023-49070 leads to the zero-day SSRF vulnerability CVE-2023-51467 in Apache OFBiz due to an incomplete patch.
The vulnerability CVE-2023-49070 stems from an outdated, no-longer-maintained XML-RPC component within Apache OFBiz.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
An open-source enterprise resource planning system is called Apache OfBiz.
Although it might not sound familiar, it is widely installed in well-known applications, including Atlassian's JIRA, which more than 120K enterprises use.
Because of this, just like with many supply chain libraries, if threat actors take advantage of this vulnerability, the consequences might be severe.
The login functionality contains the vulnerability tracked as CVE-2023-51467.
Because of this, the vulnerability was not entirely fixed by removing the XML RPC code.
This vulnerability impacts Apache OFBiz before 18.12.11.
Anyone running Apache OFbiz is urged to update to version 18.12.11 or higher immediately.
To identify any active exploitation of this vulnerability, SonicWall has created an IPS signature, IPS: 15949, in addition to the fix.
Try Kelltron's cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 10 Jan 2024 06:55:11 +0000