CVE-2024-1403 (GCVE-0-2024-1403)
Vulnerability from cvelistv5 – Published: 2024-02-27 15:39 – Updated: 2024-08-12 19:27
VLAI?
Summary
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
Severity ?
10 (Critical)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-16T04:00:49.775339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:27:43.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"OpenEdge Authentication Gateway",
"AdminServer"
],
"platforms": [
"Windows",
"Linux",
"x86",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u0026nbsp; The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u0026nbsp; \n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T15:39:54.850Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1403",
"datePublished": "2024-02-27T15:39:54.850Z",
"dateReserved": "2024-02-09T15:46:27.472Z",
"dateUpdated": "2024-08-12T19:27:43.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\\u00a0 The\\nvulnerability is a bypass to authentication based on a failure to properly\\nhandle username and password. Certain unexpected\\ncontent passed into the credentials can lead to unauthorized access without proper\\nauthentication. \\u00a0 \\n\\n\\n\\n\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"En OpenEdge Authentication Gateway y AdminServer anteriores a 11.7.19, 12.2.14, 12.8.1 en todas las plataformas compatibles con el producto OpenEdge, se identific\\u00f3 una vulnerabilidad de omisi\\u00f3n de autenticaci\\u00f3n. La vulnerabilidad es una omisi\\u00f3n de la autenticaci\\u00f3n basada en una falla al manejar adecuadamente el nombre de usuario y la contrase\\u00f1a. Cierto contenido inesperado que se pasa a las credenciales puede provocar un acceso no autorizado sin la autenticaci\\u00f3n adecuada.\"}]",
"id": "CVE-2024-1403",
"lastModified": "2024-11-21T08:50:30.643",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 6.0}]}",
"published": "2024-02-27T16:15:45.643",
"references": "[{\"url\": \"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\", \"source\": \"security@progress.com\"}, {\"url\": \"https://www.progress.com/openedge\", \"source\": \"security@progress.com\"}, {\"url\": \"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.progress.com/openedge\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@progress.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": "[{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-305\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-1403\",\"sourceIdentifier\":\"security@progress.com\",\"published\":\"2024-02-27T16:15:45.643\",\"lastModified\":\"2025-02-11T17:40:59.267\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\\nvulnerability is a bypass to authentication based on a failure to properly\\nhandle username and password. Certain unexpected\\ncontent passed into the credentials can lead to unauthorized access without proper\\nauthentication. \u00a0 \\n\\n\\n\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"En OpenEdge Authentication Gateway y AdminServer anteriores a 11.7.19, 12.2.14, 12.8.1 en todas las plataformas compatibles con el producto OpenEdge, se identific\u00f3 una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. La vulnerabilidad es una omisi\u00f3n de la autenticaci\u00f3n basada en una falla al manejar adecuadamente el nombre de usuario y la contrase\u00f1a. Cierto contenido inesperado que se pasa a las credenciales puede provocar un acceso no autorizado sin la autenticaci\u00f3n adecuada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-305\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\",\"versionEndExcluding\":\"11.7.19\",\"matchCriteriaId\":\"EE51C6DF-9ADA-4C9C-9820-94DD94ADA656\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"11.8\",\"versionEndExcluding\":\"12.2.14\",\"matchCriteriaId\":\"6BD175A1-83AF-410B-9CEE-C9B65F32F3B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"12.3\",\"versionEndExcluding\":\"12.8.1\",\"matchCriteriaId\":\"D2D98FDE-6A77-4604-904C-43ABCE323D48\"}]}]}],\"references\":[{\"url\":\"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\",\"source\":\"security@progress.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.progress.com/openedge\",\"source\":\"security@progress.com\",\"tags\":[\"Product\"]},{\"url\":\"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.progress.com/openedge\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.progress.com/openedge\", \"tags\": [\"product\", \"x_transferred\"]}, {\"url\": \"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:40:21.248Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1403\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-16T04:00:49.775339Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*\"], \"vendor\": \"progress\", \"product\": \"openedge\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.7.0\", \"lessThan\": \"11.7.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.14\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.8.0\", \"lessThan\": \"12.8.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-12T19:27:37.068Z\"}}], \"cna\": {\"title\": \"Authentication Bypass in OpenEdge Authentication Gateway and AdminServer\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Progress\", \"modules\": [\"OpenEdge Authentication Gateway\", \"AdminServer\"], \"product\": \"OpenEdge\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.7.0\", \"lessThan\": \"11.7.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.14\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.8.0\", \"lessThan\": \"12.8.1\", \"versionType\": \"semver\"}], \"platforms\": [\"Windows\", \"Linux\", \"x86\", \"64 bit\", \"32 bit\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.progress.com/openedge\", \"tags\": [\"product\"]}, {\"url\": \"https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\\u00a0 The\\nvulnerability is a bypass to authentication based on a failure to properly\\nhandle username and password. Certain unexpected\\ncontent passed into the credentials can lead to unauthorized access without proper\\nauthentication. \\u00a0 \\n\\n\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u0026nbsp; The\\nvulnerability is a bypass to authentication based on a failure to properly\\nhandle username and password. Certain unexpected\\ncontent passed into the credentials can lead to unauthorized access without proper\\nauthentication. \u0026nbsp; \\n\\n\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-305\", \"description\": \"CWE-305: Authentication Bypass by Primary Weakness\"}]}], \"providerMetadata\": {\"orgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"shortName\": \"ProgressSoftware\", \"dateUpdated\": \"2024-02-27T15:39:54.850Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1403\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-12T19:27:43.016Z\", \"dateReserved\": \"2024-02-09T15:46:27.472Z\", \"assignerOrgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"datePublished\": \"2024-02-27T15:39:54.850Z\", \"assignerShortName\": \"ProgressSoftware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…