Critical vulnerability in Apache OFBiz reported, expecting exploits

Apache OFBiz, a widely-used open-source framework for creating enterprise resource planning (ERP) applications, has is reporting a critical security vulnerability.

The vulnerability, tracked as CVE-2024-38856 (CVSS score 9.1) could enable unauthenticated remote code execution via a flaw in the authentication mechanism that permits unauthenticated users to access functions that typically require user authentication. It allows for the execution of screen rendering code through unauthenticated endpoints. This occurs under specific conditions where screen definitions fail to explicitly verify user permissions due to their reliance on endpoint configurations.

Impacted versions are Apache OFBiz versions up to and including 18.12.14.

Given that OFBiz vulnerabilities are very quickly included in automated exploit attacks, this flaw is expected to be attacked within weeks.

Another related vulnerability, CVE-2024-45195 (CVSS score 7.5), affects any version earlier than v18.12.16 of Apache OFBiz. This flaw also allows direct request ('Forced Browsing') in Apache OFBiz. Users are recommended to upgrade to version 18.12.1 for this flaw

Organizations utilizing Apache OFBiz should implement patches and/or upgrade to version 18.12.15.