A new zero-day security vulnerability has been discovered in Apache OfBiz, an open source enterprise resource planning (ERP) system that can be exploited to bypass authentication protection.
The vulnerability is tracked as CVE-2023-51467resides in the login functionality, and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) released earlier this month.
“The security measures taken to patch CVE-2023-49070 leave the underlying issue intact, so the authentication bypass remains,” the SonicWall Capture Labs threat research team, which discovered the vulnerability, said in a statement shared with The Hacker News. .”
CVE-2023-49070 refers to a pre-authenticated remote code execution flaw affecting versions prior to 18.12.10. Successful exploitation of the flaw could allow threat actors to take full control of the server and steal sensitive data. This is caused by the deprecated XML-RPC component in Apache OFBiz.
According to SonicWall, CVE-2023-51467 can be triggered by using empty and invalid username and password parameters in an HTTP request to return an authentication success message, effectively circumventing protection and allowing threat actors to access unauthorized data. Authorized internal resources.
This attack relies on the “requirePasswordChange” parameter in the URL being set to “Y” (i.e. “Yes”), allowing authentication to be easily bypassed regardless of the values passed in the username and password fields.
According to a description of the flaw on the NIST National Vulnerability Database (NVD), “This vulnerability allows an attacker to bypass authentication to achieve simple server-side request forgery (SSRF).”
Users who rely on Apache OFbiz are advised to update to version 18.12.11 or higher as soon as possible to mitigate any potential threats.
