Apache OFBiz fixed a critical flaw (CVE-2024-45195) allowing arbitrary code execution. Upgrade to version 18.12.16 to secure your servers.

Continue reading
Apache has addressed a severe security vulnerability in its open-source OFBiz (Open For Business) software. This flaw, tracked as CVE-2024-45195, could allow unauthorized attackers to execute arbitrary code on affected Linux and Windows servers. OFBiz, a versatile suite for customer relationship management (CRM) and enterprise resource planning (ERP) applications, also serves as a Java-based web framework for web development.
Discovered by Rapid7 researchers, the vulnerability stems from a forced browsing weakness, which exposes restricted paths to unauthenticated direct request attacks. According to Ryan Emmons, a security researcher at Rapid7, this flaw allows attackers to bypass missing view authorization checks in the OFBiz web application, potentially leading to arbitrary code execution on the server.
Proof-of-Concept (PoC) Exploit: Emmons provided a PoC exploit code in his report, illustrating how an attacker can exploit this vulnerability without valid credentials.
The Apache security team has addressed CVE-2024-45195 in OFBiz version 18.12.16 by introducing necessary authorization checks. Users of OFBiz are strongly advised to upgrade to this version to mitigate potential security risks.
CVE-2024-45195 is identified as a bypass for three earlier OFBiz vulnerabilities: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. Emmons' analysis indicates that these vulnerabilities share a common root cause—a controller-view map fragmentation issue—that allows attackers to execute code or SQL queries, resulting in remote code execution without authentication.
Historical Context:
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in early August about the exploitation of CVE-2024-32113, shortly after SonicWall's disclosure of CVE-2024-38856. CISA added these vulnerabilities to its catalog of actively exploited flaws, enforcing a binding operational directive (BOD 22-01) for federal agencies to patch their servers within three weeks.
Note: While BOD 22-01 specifically applies to Federal Civilian Executive Branch (FCEB) agencies, CISA has urged all organizations to prioritize these patches to prevent potential network breaches.
In December, additional exploitation of OFBiz vulnerabilities, including CVE-2023-49070, was reported. Attackers utilized public PoC exploits to target vulnerable Confluence servers, underscoring the importance of prompt patching and continuous monitoring.
The patching of CVE-2024-45195 is a crucial update for OFBiz users, addressing a significant security flaw with potential for severe impact. Organizations must act swiftly to apply the latest update to safeguard their systems from exploitation and to ensure compliance with security directives.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.