A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system, potentially allowing threat actors to achieve remote code execution on affected instances.
Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of 10.0 and affects Apache OFBiz versions prior to 18.12.15.
“The root cause of the vulnerability lies in a flaw in the authentication mechanism,” said SonicWall, which discovered and reported the issue.
“This flaw allows an unauthenticated user to access functionalities that generally require the user to be logged in, paving the way for remote code execution.”
CVE-2024-38856 is also a patch bypass for CVE-2024-36104, a path traversal vulnerability addressed in early June with the release of version 18.12.14.
SonicWall described the flaw as residing in the override view functionality, which exposes critical endpoints to unauthenticated threat actors who could exploit it to achieve remote code execution via specially crafted requests.
“Unauthenticated access was allowed to the ProgramExport endpoint by chaining it with any other endpoints that do not require authentication by abusing the override view functionality,” explained security researcher Hasib Vhora.
This development comes as another critical path traversal vulnerability in OFBiz (CVE-2024-32113), which could result in remote code execution, has come under active exploitation to deploy the Mirai botnet. It was patched in May 2024.
In December 2023, SonicWall also disclosed a zero-day flaw in the same software (CVE-2023-51467) that allowed bypassing authentication protections, which subsequently faced numerous exploitation attempts.
 system, potentially allowing threat actors to achieve remote code execution on affected instances.){kind=link}