A vulnerability, CVE-2024-38856, has been found in Apache OFBiz, allowing unauthenticated remote code execution. A patch is available, and developers strongly recommend installing it immediately due to the high risk of exploitation.
Apache OFBiz RCE Vulnerability
Researchers have found a critical zero-day vulnerability, CVE-2024-38856, in Apache OFBiz, with a CVSS score of 9.8. This flaw affects versions up to 18.12.14 and allows unauthenticated attackers to execute arbitrary code.
Apache OFBiz is an open-source ERP framework used by companies like United Airlines, Atlassian JIRA, HP, and Upwork. It includes web apps for business needs like accounting, HR, and CRM. Organizations are advised to promptly address the critical vulnerability.
Researchers found that attackers could gain control of the system and execute code without authentication due to a failure in verifying authentication properly.
This vulnerability is similar to a previous one, CVE-2023-51467, also with a CVSS score of 9.8, related to the login function and stemming from an incomplete fix of another critical flaw, CVE-2023-49070.
These vulnerabilities, allowing for remote code execution (RCE), pose significant risks, including server control and data theft. The newly discovered CVE-2024-38856 flaw is especially dangerous, potentially leading to extensive internal information leaks.
Unlike previous vulnerabilities, there are no reports of CVE-2024-38856 being exploited in the wild at this time. However, hackers are likely to start exploiting it soon after disclosure, as seen with other Apache vulnerabilities. The Apache OFBiz team released a patch for CVE-2024-38856 within 24 hours of its disclosure. Companies using OFBiz should update to version 18.12.15, as no workaround is available.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment