The Apache Software Foundation has issued a critical security patch to address a vulnerability in Apache OFBiz, that could allow remote attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.
The vulnerability tracked as CVE-2024-36104 is a path traversal vulnerability that allows attackers to access restricted directories and files on an OFBiz server. By manipulating file paths, malicious actors can execute commands, upload malicious files, or steal sensitive data.
The vulnerability stems from improper input validation and lack of restrictions on file paths. This vulnerability is classified as important, given its potential to severely compromise the confidentiality, integrity, and availability of resources.
All versions of Apache OFBiz prior to 18.12.14 are affected by this vulnerability. Organizations using OFBiz for ERP, CRM, e-commerce, supply chain management, or manufacturing resource planning are urged to update their systems immediately. The vulnerability’s severity and the widespread use of OFBiz make it a prime target for exploitation.
The Apache Software Foundation has released OFBiz version 18.12.14, which contains a fix for the vulnerability. Users are strongly advised to upgrade to this version as soon as possible.
