Overview

Apache OFBiz is vulnerable to a zero-day remote code execution vulnerability. Successful exploitation of the vulnerability may allow attackers to take control of the affected device.

Description

Apache OFBiz open-source enterprise resource planning (ERP) is affected by a critical vulnerability tracked as CVE-2024-38856 with a CVSS score of 9.8. The flaw results from improper limitation of a pathname to a restricted directory ('Path Traversal') leading to failure of the authentication mechanism. Leveraging the vulnerability allows the attacker to achieve remote code execution via specially crafted requests.

Impact

Successful exploitation of this vulnerability may allow an attacker to take control of the affected device.

Solution

Apache has released a patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.openwall.com/lists/oss-security/2024/05/09/1
• 2. https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd
• 3. https://thehackernews.com/2024/08/new-zero-day-flaw-in-apache-ofbiz-erp.html