CVE-2024-45195

What is Apache OFBiz?

Apache OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) and customer relationship management (CRM) platform built on Java. It provides a broad suite of business applications — order management, inventory, accounting, e-commerce, and CRM — often deployed as a foundation for custom enterprise applications. OFBiz is internet-accessible in many deployments because it hosts customer-facing e-commerce storefronts and partner portals. Its Java-based architecture and complex URL routing have made it a recurring target for authentication bypass vulnerabilities in 2023–2024.

Overview

CVE-2024-45195 is a forced browsing (direct request) vulnerability in Apache OFBiz that allows an unauthenticated remote attacker to access protected application endpoints directly, bypassing the authentication framework. It is the latest in a series of OFBiz authentication bypass vulnerabilities in 2024 — following CVE-2023-51467 and CVE-2024-32113 — each bypassing the fix introduced by the previous patch. Apache OFBiz 18.12.16 (September 2024) addresses this bypass. CISA added it to the KEV catalog in February 2025, confirming active exploitation.

Affected Versions

Technical Details

CWE-425 (Direct Request / Forced Browsing). OFBiz's URL-based access control relies on the request path matching authentication-required patterns. The vulnerability arises because the access control check can be bypassed by crafting a request URL that does not match the protected path pattern — for example, by appending specific suffixes, inserting traversal sequences, or using alternative URL encodings — while still reaching the protected endpoint on the server side. The discrepancy between how the access control framework interprets the URL and how the servlet container routes it allows unauthenticated access to internal views and actions.

This class of vulnerability is particularly persistent in OFBiz because the framework's URL routing is complex and has multiple bypass surfaces. The progression from CVE-2023-51467 → CVE-2024-32113 → CVE-2024-38856 → CVE-2024-45195 demonstrates an iterative pattern where each patch addressed a specific bypass vector while leaving others open.

Discovery

Reported to the Apache OFBiz security team. The 5-month gap between CVE publication (September 2024) and CISA KEV addition (February 2025) suggests exploitation was detected in the wild after an extended period of unpatched deployments.

Exploitation Context

Apache OFBiz authentication bypass vulnerabilities have been actively exploited since 2023, with threat actors using them to access back-office administration panels, extract business data, and in some cases achieve remote code execution by reaching Groovy script execution endpoints within OFBiz. The consistent exploitation of successive bypass CVEs in the same product indicates sustained attacker focus and the difficulty organizations have in keeping up with rapid patch cycles for complex enterprise applications.

Remediation

1. Upgrade Apache OFBiz to version 18.12.16 or later — this is the only reliable fix.
2. Restrict OFBiz administrative console access to trusted internal IP addresses using a WAF or reverse proxy; only the customer-facing e-commerce interface should be publicly accessible if required.
3. Review OFBiz access logs for unauthenticated requests to admin/back-office paths prior to patching.
4. Monitor the Apache OFBiz security mailing list for future vulnerability disclosures — the pattern of successive bypass CVEs suggests continued research attention on this product.