The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a> Apache OFBiz Incorrect Authorization Vulnerability CVE-2024-38856<\/a> (CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog<\/a>.<\/p>\n\n\n\n
\u201cUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u2019t explicitly check user\u2019s permissions because they rely on the configuration of their endpoints).\u201d reads the advisory<\/a>.<\/em><\/p>\n\n\n\n
\u201cThe SonicWall Capture Labs threat research team has discovered a pre-authentication remote code execution vulnerability in Apache OFBiz being tracked as CVE-2024-38856<\/a> with a CVSS score of 9.8. This is the second major flaw<\/a> SonicWall has discovered in Apache OFBiz in recent months, the first coming in December 2023.\u201d wrote Vhora<\/strong><\/a>. \u201cThis time, a flaw in the override view functionality exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution. It affects Apache OFBiz versions up to 18.12.14, and users are strongly encouraged to upgrade their instances to version 18.12.15<\/a> or newer.\u201d<\/p>\n\n\n\n
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities<\/a>, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog<\/a> and address the vulnerabilities in their infrastructure.<\/p>\n\n\n\n
CISA orders federal agencies to fix this vulnerability by\u00a0September 17, 2024.<\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0CISA<\/a>)<\/strong><\/p>\n\n\n\n