A new zero-day security flaw has been found in the Apache OfBiz, an open up-source Enterprise Useful resource Setting up (ERP) program that could be exploited to bypass authentication protections.
The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the consequence of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was introduced earlier this thirty day period.
“The security measures taken to patch CVE-2023-49070 still left the root issue intact and for that reason the authentication bypass was nonetheless existing,” the SonicWall Seize Labs risk exploration team, which learned the bug, claimed in a statement shared with The Hacker Information.
CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting variations prior to 18.12.10 that, when effectively exploited, could enable danger actors to obtain total management around the server and siphon sensitive information. It is caused because of to a deprecated XML-RPC part within Apache OFBiz.
In accordance to SonicWall, CVE-2023-51467 could be induced working with empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication accomplishment message, efficiently circumventing the defense and enabling a menace actor to entry otherwise unauthorized interior assets.
The attack hinges on the simple fact that the parameter “requirePasswordChange” is set to “Y” (i.e., of course) in the URL, creating the authentication to be trivially bypassed irrespective of the values passed in the username and password fields.
“The vulnerability permits attackers to bypass authentication to attain a simple Server-Aspect Ask for Forgery (SSRF),” according to a description of the flaw on the NIST Countrywide Vulnerability Databases (NVD).
People who count on Apache OFbiz to update to model 18.12.11 or later as soon as attainable to mitigate any probable threats.
Located this short article intriguing? Adhere to us on Twitter and LinkedIn to examine extra exceptional information we post.
Some parts of this article are sourced from:
thehackernews.com
Chinese Hackers Exploited New Zero-Day in Barracuda’s ESG Appliances