Search criteria
4 vulnerabilities found for openedge by progress
CVE-2024-7346 (GCVE-0-2024-7346)
Vulnerability from cvelistv5 – Published: 2024-09-03 14:51 – Updated: 2024-09-03 15:06
VLAI?
Title
Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation
Summary
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
Severity ?
7.2 (High)
CWE
- CWE-297 - Improper Validation of Certificate with Host Mismatch
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThanOrEqual": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "12.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T15:03:24.623163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:06:04.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"PASOE Application Server",
"OpenEdge Authentication Gateway"
],
"platforms": [
"Windows",
"Linux",
"64 bit",
"x86",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThanOrEqual": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "12.8.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of the legacy OpenEdge default TLS/SSL certificates in TLS-networked connections in an OpenEdge installation.\u003cbr\u003e"
}
],
"value": "Use of the legacy OpenEdge default TLS/SSL certificates in TLS-networked connections in an OpenEdge installation."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.\u0026nbsp; This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.\u0026nbsp; The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.\u0026nbsp; \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.\u00a0 This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.\u00a0 The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272: Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297: Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:51:03.551Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist\u003cbr\u003e"
}
],
"value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\u003cbr\u003e"
}
],
"value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\u003cbr\u003e"
}
],
"value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eReplace all use of default OpenEdge TLS certificates with a CA-signed certificate from a recognized certificate authority that contains the necessary information to support host name validation\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Replace all use of default OpenEdge TLS certificates with a CA-signed certificate from a recognized certificate authority that contains the necessary information to support host name validation"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the \"nohostverify\" switch in development environments when clients need to bypass host name validation as a convenience prior to establishing valid certificates for production.\u003cbr\u003e"
}
],
"value": "Use the \"nohostverify\" switch in development environments when clients need to bypass host name validation as a convenience prior to establishing valid certificates for production."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-7346",
"datePublished": "2024-09-03T14:51:03.551Z",
"dateReserved": "2024-07-31T17:32:10.370Z",
"dateUpdated": "2024-09-03T15:06:04.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7345 (GCVE-0-2024-7345)
Vulnerability from cvelistv5 – Published: 2024-09-03 14:50 – Updated: 2024-09-03 15:08
VLAI?
Title
Direct local client connections to MS Agents can bypass authentication
Summary
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
Severity ?
8.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThanOrEqual": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "12.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T15:06:48.221094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:08:13.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"PASOE Application Server",
"OpenEdge Authentication Gateway"
],
"platforms": [
"Windows",
"Linux",
"64 bit",
"x86",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThanOrEqual": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "12.8.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An active instance of OpenEdge PASOE\u0027s Tomcat Webserver and local or system adjacent access to an ABL client on the Webserver host\u003cbr\u003e"
}
],
"value": "An active instance of OpenEdge PASOE\u0027s Tomcat Webserver and local or system adjacent access to an ABL client on the Webserver host"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms"
}
],
"value": "Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms"
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:50:15.520Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist\u003cbr\u003e"
}
],
"value": "Use the 12.8.0 or above LTS release where the vulnerability does not exist"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.2 LTS release at the 12.2.14 Update level or above\u003cbr\u003e"
}
],
"value": "Use the 12.2 LTS release at the 12.2.14 Update level or above"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 11.7 LTS release at the 11.7.19 Update level or above\n\n\u003cbr\u003e"
}
],
"value": "Use the 11.7 LTS release at the 11.7.19 Update level or above"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Direct local client connections to MS Agents can bypass authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eDo not put client software on host webserver systems\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Do not put client software on host webserver systems"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure the \"AppServer.SessMgr.agentHost\" property is set to \"localhost\" unless you are multi-hosting a single Webserver system\u003cbr\u003e"
}
],
"value": "Ensure the \"AppServer.SessMgr.agentHost\" property is set to \"localhost\" unless you are multi-hosting a single Webserver system"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver\u0027s published listening port\u003cbr\u003e"
}
],
"value": "Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver\u0027s published listening port"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Launch PASOE agent processes with \"least privilege\" system resource capabilities\u003cbr\u003e"
}
],
"value": "Launch PASOE agent processes with \"least privilege\" system resource capabilities"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-7345",
"datePublished": "2024-09-03T14:50:15.520Z",
"dateReserved": "2024-07-31T17:32:09.678Z",
"dateUpdated": "2024-09-03T15:08:13.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7654 (GCVE-0-2024-7654)
Vulnerability from cvelistv5 – Published: 2024-09-03 14:48 – Updated: 2024-09-03 15:09
VLAI?
Title
Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service
Summary
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
Severity ?
8.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThan": "12.2.15",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"lessThan": "12.8.2",
"status": "affected",
"version": "12.8.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T15:08:38.821486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:09:51.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"OpenEdge Explorer",
"OpenEdge Management"
],
"platforms": [
"Windows",
"Linux",
"x86",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "custom"
},
{
"lessThan": "12.2.15",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"lessThan": "12.8.2",
"status": "affected",
"version": "12.8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u0026nbsp; Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u0026nbsp;\u0026nbsp; Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\u0026nbsp; \u003cbr\u003e"
}
],
"value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18: XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:48:00.539Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist\n\n\u003cbr\u003e"
}
],
"value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\n\n\u003cbr\u003e"
}
],
"value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-7654",
"datePublished": "2024-09-03T14:48:00.539Z",
"dateReserved": "2024-08-09T18:27:48.920Z",
"dateUpdated": "2024-09-03T15:09:51.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1403 (GCVE-0-2024-1403)
Vulnerability from cvelistv5 – Published: 2024-02-27 15:39 – Updated: 2024-08-12 19:27
VLAI?
Title
Authentication Bypass in OpenEdge Authentication Gateway and AdminServer
Summary
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
Severity ?
10 (Critical)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-16T04:00:49.775339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:27:43.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"OpenEdge Authentication Gateway",
"AdminServer"
],
"platforms": [
"Windows",
"Linux",
"x86",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u0026nbsp; The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u0026nbsp; \n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T15:39:54.850Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1403",
"datePublished": "2024-02-27T15:39:54.850Z",
"dateReserved": "2024-02-09T15:46:27.472Z",
"dateUpdated": "2024-08-12T19:27:43.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}