Security News > 2024 > August > Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856)
CVE-2024-38856, an incorrect authorization vulnerability affecting all but the latest version of Apache OFBiz, may be exploited by remote, unauthenticated attackers to execute arbitrary code on vulnerable systems.
Apache OFBiz is an open-source framework for enterprise resource planning that encompasses web applications that serve common business needs, such as human resources, accounting, inventory management, customer relationship management, marketing and so on.
CVE-2024-38856 - whose discovery has been credited to Hasib Vhora, a senior threat researcher at SonicWall's Capture Labs, and a slew of other security researchers - affects every Apache OFBiz version up to and including v18.12.14.
The description of the vulnerability by Apache OFBiz developer Jacques Le Roux is light on specifics, but Vhora has published a detailed technical write-up about it.
Users are recommended to upgrade their installations as soon as possible, especially in view of the recent report by the SANS Internet Storm Center, which warns about attackers trying to exploit CVE-2024-32113, a path traversal vulnerability that affects OFBiz versions up to v18.12.12.
SonicWall says that the Apache OFBiz team came up with a fix for CVE-2024-38856 within 24 hours, and that at this time, they are unaware of any active exploitation of the flaw.
News URL
https://www.helpnetsecurity.com/2024/08/05/cve-2024-38856/
Related news
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug (source)
- Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) (source)
- Max severity RCE flaw discovered in widely used Apache Parquet (source)
- Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code (source)
- WinRAR MotW bypass flaw fixed, update ASAP (CVE-2025-31334) (source)
- RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-05 | CVE-2024-38856 | Unspecified vulnerability in Apache Ofbiz Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). | 9.8 |
| 2024-05-08 | CVE-2024-32113 | Unspecified vulnerability in Apache Ofbiz Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. | 9.8 |