Security News > 2024 > August > New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution

A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning system that could allow threat actors to achieve remote code execution on affected instances.

"The root cause of the vulnerability lies in a flaw in the authentication mechanism," SonicWall, which discovered and reported the shortcoming, said in a statement.

"This flaw allows an unauthenticated user to access functionalities that generally require the user to be logged in, paving the way for remote code execution."

SonicWall described the flaw as residing in the override view functionality that exposes critical endpoints to unauthenticated threat actors, who could leverage it to achieve remote code execution via specially crafted requests.

The development comes as another critical path traversal vulnerability in OFBiz that could result in remote code execution has since come under active exploitation to deploy the Mirai botnet.

In December 2023, SonicWall also disclosed a then-zero-day flaw in the same software that made it possible to bypass authentication protections.

News URL

https://thehackernews.com/2024/08/new-zero-day-flaw-in-apache-ofbiz-erp.html