The vulnerability was uncovered by researchers at SonicWall’s Capture Labs threat research team. It stems from a flaw in the override view functionality that exposes critical endpoints to unauthenticated threat actors using specially crafted requests. This could potentially lead to remote code execution without any authentication required.
Organizations widely use Apache OFBiz to manage various business processes, including accounting, human resources, customer relationship management, and e-commerce.
According to available data, approximately 170 companies utilize Apache OFBiz, with 41% of users based in the United States. Notable users include United Airlines, Atlassian JIRA, Home Depot, HP, and Upwork.
Researchers discovered the vulnerability while analyzing a previously patched flaw (CVE-2024-36104). They found that manipulating certain request parameters could bypass authentication checks and access restricted endpoints.
SonicWall responsibly disclosed the vulnerability to the Apache OFBiz team, who promptly developed and released a patch. To mitigate the risk, users are strongly urged to upgrade their OFBiz installations to version 18.12.15 or newer.
This marks SonicWall’s second major vulnerability in Apache OFBiz in recent months, following another critical flaw found in December 2023. The quick succession of severe vulnerabilities highlights the importance of timely patching and ongoing security assessments for critical business software.
Currently, there is no evidence of active exploitation of this vulnerability in the wild. However, given the critical nature of the flaw and the widespread use of Apache OFBiz in enterprise environments, organizations are advised to take immediate action to protect their systems.
The vulnerability in Apache OFBiz was promptly addressed and fixed, with the following commit.