Apache fixed a high-severity vulnerability, tracked as\u00a0CVE-2024-45195<\/a>\u00a0(CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.<\/p>\n\n\n\n
“Apache OFBiz below 18.12.16 is\u00a0vulnerable to<\/a>\u00a0unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server.” reads the analysis<\/a> published by Rapid7. “Exploitation is facilitated by bypassing previous patches for\u00a0CVE-2024-32113<\/a>,\u00a0CVE-2024-36104<\/a>, and\u00a0CVE-2024-38856<\/a>; this patch bypass vulnerability is tracked as\u00a0CVE-2024-45195<\/a>.”<\/em>
“In\u00a0this patch<\/a>, authorization checks were implemented for the view. This change validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller.” concludes Rapid7. “OFBiz users should update to the fixed version as soon as possible.”<\/em>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Apache OFBiz)\u00a0<\/strong>