cve-2024-7654
Vulnerability from cvelistv5
Published
2024-09-03 14:48
Modified
2024-09-03 15:09
Summary
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.  Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.   Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "openedge",
            "vendor": "progress",
            "versions": [
              {
                "lessThan": "11.7.19",
                "status": "affected",
                "version": "11.7.0",
                "versionType": "custom"
              },
              {
                "lessThan": "12.2.15",
                "status": "affected",
                "version": "12.2.0",
                "versionType": "custom"
              },
              {
                "lessThan": "12.8.2",
                "status": "affected",
                "version": "12.8.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T15:08:38.821486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T15:09:51.475Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "OpenEdge Explorer",
            "OpenEdge Management"
          ],
          "platforms": [
            "Windows",
            "Linux",
            "x86",
            "64 bit",
            "32 bit"
          ],
          "product": "OpenEdge",
          "vendor": "Progress",
          "versions": [
            {
              "lessThan": "11.7.19",
              "status": "affected",
              "version": "11.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.2.15",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.8.2",
              "status": "affected",
              "version": "12.8.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u0026nbsp; Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u0026nbsp;\u0026nbsp; Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\u0026nbsp; \u003cbr\u003e"
            }
          ],
          "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18: XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-03T14:48:00.539Z",
        "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "shortName": "ProgressSoftware"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist\n\n\u003cbr\u003e"
            }
          ],
          "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist"
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
    "assignerShortName": "ProgressSoftware",
    "cveId": "CVE-2024-7654",
    "datePublished": "2024-09-03T14:48:00.539Z",
    "dateReserved": "2024-08-09T18:27:48.920Z",
    "dateUpdated": "2024-09-03T15:09:51.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"11.7.19\", \"matchCriteriaId\": \"148C3BEA-FD57-492F-9214-38FF9C128B67\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"12.2\", \"versionEndIncluding\": \"12.2.14\", \"matchCriteriaId\": \"21FD77B2-FC6C-4C65-8080-3884F2C10048\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"12.8\", \"versionEndExcluding\": \"12.8.3\", \"matchCriteriaId\": \"A8DFC42C-6EBE-4770-B59C-B2C3B294FD8C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\\u00a0 Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\\u00a0\\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\"}, {\"lang\": \"es\", \"value\": \"Se pod\\u00eda acceder a un servicio ActiveMQ Discovery de forma predeterminada desde una instalaci\\u00f3n de OpenEdge Management cuando se activaba una funci\\u00f3n de descubrimiento autom\\u00e1tico de OEE/OEM. El acceso no autorizado al puerto UDP del servicio de descubrimiento permiti\\u00f3 la inyecci\\u00f3n de contenido en partes de la interfaz web de OEM, lo que posibilit\\u00f3 otros tipos de ataques que podr\\u00edan suplantar o enga\\u00f1ar a los usuarios de la interfaz web. El uso no autorizado del servicio de descubrimiento de OEE/OEM se solucion\\u00f3 desactivando el servicio de descubrimiento de forma predeterminada.\"}]",
      "id": "CVE-2024-7654",
      "lastModified": "2024-09-05T13:53:16.540",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2024-09-03T15:15:17.223",
      "references": "[{\"url\": \"https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service\", \"source\": \"security@progress.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@progress.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-7654\",\"sourceIdentifier\":\"security@progress.com\",\"published\":\"2024-09-03T15:15:17.223\",\"lastModified\":\"2024-09-05T13:53:16.540\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\"},{\"lang\":\"es\",\"value\":\"Se pod\u00eda acceder a un servicio ActiveMQ Discovery de forma predeterminada desde una instalaci\u00f3n de OpenEdge Management cuando se activaba una funci\u00f3n de descubrimiento autom\u00e1tico de OEE/OEM. El acceso no autorizado al puerto UDP del servicio de descubrimiento permiti\u00f3 la inyecci\u00f3n de contenido en partes de la interfaz web de OEM, lo que posibilit\u00f3 otros tipos de ataques que podr\u00edan suplantar o enga\u00f1ar a los usuarios de la interfaz web. El uso no autorizado del servicio de descubrimiento de OEE/OEM se solucion\u00f3 desactivando el servicio de descubrimiento de forma predeterminada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"11.7.19\",\"matchCriteriaId\":\"148C3BEA-FD57-492F-9214-38FF9C128B67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"12.2\",\"versionEndIncluding\":\"12.2.14\",\"matchCriteriaId\":\"21FD77B2-FC6C-4C65-8080-3884F2C10048\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"12.8\",\"versionEndExcluding\":\"12.8.3\",\"matchCriteriaId\":\"A8DFC42C-6EBE-4770-B59C-B2C3B294FD8C\"}]}]}],\"references\":[{\"url\":\"https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service\",\"source\":\"security@progress.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7654\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-03T15:08:38.821486Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*\"], \"vendor\": \"progress\", \"product\": \"openedge\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.7.0\", \"lessThan\": \"11.7.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.15\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.8.0\", \"lessThan\": \"12.8.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T15:09:45.035Z\"}}], \"cna\": {\"title\": \"Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-18\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-18: XSS Targeting Non-Script Elements\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Progress\", \"modules\": [\"OpenEdge Explorer\", \"OpenEdge Management\"], \"product\": \"OpenEdge\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.7.0\", \"lessThan\": \"11.7.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.15\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.8.0\", \"lessThan\": \"12.8.2\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\", \"Linux\", \"x86\", \"64 bit\", \"32 bit\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Use the 12.8.3 or above LTS release where the vulnerability does not exist\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use the 12.8.3 or above LTS release where the vulnerability does not exist\\n\\n\u003cbr\u003e\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"Use the 12.2 LTS release at the 12.2.15 Update level or above\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use the 12.2 LTS release at the 12.2.15 Update level or above\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"Use the 11.7 LTS release at the 11.7.20 Update level or above\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use the 11.7 LTS release at the 11.7.20 Update level or above\\n\\n\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\\u00a0 Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\\u00a0\\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u0026nbsp; Unauthorized access to the discovery service\u0027s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u0026nbsp;\u0026nbsp; Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.\u0026nbsp; \u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"shortName\": \"ProgressSoftware\", \"dateUpdated\": \"2024-09-03T14:48:00.539Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-7654\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-03T15:09:51.475Z\", \"dateReserved\": \"2024-08-09T18:27:48.920Z\", \"assignerOrgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"datePublished\": \"2024-09-03T14:48:00.539Z\", \"assignerShortName\": \"ProgressSoftware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.