FKIE_CVE-2024-7345

Vulnerability from fkie_nvd - Published: 2024-09-03 15:15 - Updated: 2024-09-05 14:11
Severity ?
8.3 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
References
security@progress.comhttps://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authenticationMitigation, Vendor Advisory
Impacted products
Vendor Product Version
progress openedge *
progress openedge *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E38EE20-1A60-46BB-8045-965B60B09B68",
              "versionEndIncluding": "11.7.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE560C37-3845-4B18-BDDC-38FF65C4CA2C",
              "versionEndIncluding": "12.2.13",
              "versionStartIncluding": "12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms"
    },
    {
      "lang": "es",
      "value": "La omisi\u00f3n por parte del cliente ABL local de las comprobaciones de seguridad PASOE requeridas puede permitir que un atacante realice una inyecci\u00f3n de c\u00f3digo no autorizada en agentes multisesi\u00f3n en plataformas OpenEdge LTS compatibles hasta OpenEdge LTS 11.7.18 y LTS 12.2.13 en todas las plataformas de lanzamiento compatibles"
    }
  ],
  "id": "CVE-2024-7345",
  "lastModified": "2024-09-05T14:11:00.493",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 6.0,
        "source": "security@progress.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-03T15:15:16.707",
  "references": [
    {
      "source": "security@progress.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication"
    }
  ],
  "sourceIdentifier": "security@progress.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security@progress.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.