Apache OFBiz has got a security update for a flaw CVE-2024-45195 with a CVSS score of 7.5 that allows attackers to bypass authorization checks and execute arbitrary code on the server, even without valid credentials.
The vulnerability CVE-2024-45195 is a bypass for a series of previously addressed vulnerabilities (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856), highlighting the persistent nature of this security issue. CVE-2024-32113 and CVE-2024-38856 have already been actively exploited in the wild, with the former used to deploy the notorious Mirai botnet malware.
As per Imperva report, there were 25,000 malicious requests targeting 4,000 unique sites have been detected since the vulnerability was disclosed. These attacks, primarily targeting the financial services industry and business sectors. Attackers seek to deploy malware, steal sensitive data, or disrupt business operations by exploiting this flaw.
Apache OFBiz versions prior to 18.12.16 are affected. The latest patch introduces critical changes, including proper validation to ensure that view authorization is correctly enforced. The patch also blocks unauthorized users from exploiting the controller-view desynchronization flaw, providing much-needed protection for enterprise systems. Organizations using OFBiz are strongly urged to update to the latest version immediately to mitigate this critical risk
There were fixes to other vulnerabilities with the same Apache OFBiz version 18.12.16 that includes a critical server-side request forgery (SSRF) vulnerability tracked as CVE-2024-45507, with a CVSS score 9.8 that could lead to unauthorized access and system compromise.
