Apache OFBiz vulnerable to 'Forced Browsing' (Direct Request) attack
CVE-2024-45195

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 4 September 2024

Badges

👾 Exploit Exists🦅 CISA Reported📰 News Worthy

Summary

The vulnerability CVE-2024-45195 affects Apache OFBiz versions before 18.12.16, allowing attackers to execute arbitrary code on the server without valid credentials. This vulnerability poses a severe risk to organizations relying on OFBiz, including potential data theft, disruption of operations, and lateral movement and persistence within the network. Apache has released a patch in version 18.12.16 to address this vulnerability, along with three other related vulnerabilities. Previous vulnerabilities in Apache OFBiz have been actively exploited, making it crucial for organizations to promptly implement the patch to safeguard their critical data and mitigate their attack surface.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Apache OFBiz 0 < 18.12.16

News Articles

Duo Security

CVE-2024-45195 CVE-2024-32113

Apache Fixes OFBiz Remote Code Execution Flaw

Apache has issued a fix in OFBiz (Open For Business) that addresses an unauthenticated remote code execution bug.

5 months ago

CSO Online

CVE-2024-45195 CVE-2024-32113

Apache OFBiz patches new critical remote code execution flaw

The vulnerability represents a bypass of fixes put in place this year for three critical RCE flaws that had the same root cause and have since been used in attacks.

5 months ago