Experts warn of an authentication bypass zero-day flaw that affects Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system.

An attacker can trigger the vulnerability, tracked as CVE-2023-51467, to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)

The issue resides in the login functionality and results from an incomplete patch for the Pre-auth RCE vulnerability CVE-2023-49070 (CVSS score: 9.8).

SonicWall researchers pointed out that the Apache OfBiz is part of the supply chain of prominent software, such as Atlassian’s JIRA (used by over 120K companies).