A newly discovered zero-day flaw, CVE-2023-51467, poses a critical security risk within the open-source ERP system, Apache OfBiz. This vulnerability, discovered by SonicWall Capture Labs, exploits an incomplete patch intended for CVE-2023-49070, a previous remote code execution vulnerability. The incomplete fix in CVE-2023-49070 allowed for an authentication bypass in the login function, potentially granting unauthorized access to internal resources.
CVE-2023-49070, affecting versions before 18.12.10, could previously lead to complete server control and data exfiltration due to a deprecated XML-RPC component within Apache OfBiz. The latest zero-day flaw, CVE-2023-51467, can be exploited by submitting empty or invalid USERNAME and PASSWORD parameters in an HTTP request, causing the system to signal an authentication success, bypassing security measures.
This exploit abuses the “requirePasswordChange” parameter set to “Y” within the URL, facilitating a trivial bypass of authentication, ultimately enabling attackers to perform Server-Side Request Forgery (SSRF) attacks. The National Vulnerability Database (NVD) describes this vulnerability, emphasizing the risk of unauthorized access to sensitive resources. Mitigation for this critical security threat involves updating the Apache OfBiz system to version 18.12.11 or later.
This update aims to patch the zero-day flaw, preventing potential unauthorized access and mitigating the risk of further exploitation. Users relying on Apache OfBiz are urged to apply these updates promptly to safeguard against possible threats stemming from this security loophole.
