CVE-2024-1403 - Vulnerability Details - OpenCVE

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.1664.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Progress

OpenEdge

affected

Version	Status	Constraints
`11.7.0`	affected	< 11.7.19
`12.2.0`	affected	< 12.2.14
`12.8.0`	affected	< 12.8.1

Configuration 1 [-]

OR	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*

No data.

No data.

Project Subscriptions

Vendors	Products
Progress Subscribe	Openedge Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer
https://www.progress.com/openedge

History

Tue, 11 Feb 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress openedge
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:progress:openedge:::::lts:::*
Vendors & Products		Progress Progress openedge

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-02-27T15:39:54.850Z

Updated: 2024-08-12T19:27:43.016Z

Reserved: 2024-02-09T15:46:27.472Z

Link: CVE-2024-1403

Vulnrichment

Updated: 2024-08-01T18:40:21.248Z

NVD

Status : Analyzed

Published: 2024-02-27T16:15:45.643

Modified: 2025-02-11T17:40:59.267

Link: CVE-2024-1403

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1403", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-02-09T15:46:27.472Z", "datePublished": "2024-02-27T15:39:54.850Z", "dateUpdated": "2024-08-12T19:27:43.016Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["OpenEdge Authentication Gateway", "AdminServer"], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "product": "OpenEdge", "vendor": "Progress", "versions": [{"lessThan": "11.7.19", "status": "affected", "version": "11.7.0", "versionType": "semver"}, {"lessThan": "12.2.14", "status": "affected", "version": "12.2.0", "versionType": "semver"}, {"lessThan": "12.8.1", "status": "affected", "version": "12.8.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication.   \n\n\n\n\n\n<br>"}], "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-27T15:39:54.850Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}], "source": {"discovery": "UNKNOWN"}, "title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.248Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}]}, {"affected": [{"vendor": "progress", "product": "openedge", "cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "11.7.0", "status": "affected", "lessThan": "11.7.19", "versionType": "semver"}, {"version": "12.2.0", "status": "affected", "lessThan": "12.2.14", "versionType": "semver"}, {"version": "12.8.0", "status": "affected", "lessThan": "12.8.1", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-16T04:00:49.775339Z", "id": "CVE-2024-1403", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:27:43.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.progress.com/openedge", "tags": ["product", "x_transferred"]}, {"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.248Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-16T04:00:49.775339Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "openedge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.14", "versionType": "semver"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.1", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:27:37.068Z"}}], "cna": {"title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress", "modules": ["OpenEdge Authentication Gateway", "AdminServer"], "product": "OpenEdge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.14", "versionType": "semver"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.1", "versionType": "semver"}], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/openedge", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication.   \n\n\n\n\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-27T15:39:54.850Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1403", "state": "PUBLISHED", "dateUpdated": "2024-08-12T19:27:43.016Z", "dateReserved": "2024-02-09T15:46:27.472Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-02-27T15:39:54.850Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "EE51C6DF-9ADA-4C9C-9820-94DD94ADA656", "versionEndExcluding": "11.7.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "6BD175A1-83AF-410B-9CEE-C9B65F32F3B4", "versionEndExcluding": "12.2.14", "versionStartIncluding": "11.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D2D98FDE-6A77-4604-904C-43ABCE323D48", "versionEndExcluding": "12.8.1", "versionStartIncluding": "12.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"}, {"lang": "es", "value": "En OpenEdge Authentication Gateway y AdminServer anteriores a 11.7.19, 12.2.14, 12.8.1 en todas las plataformas compatibles con el producto OpenEdge, se identific\u00f3 una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. La vulnerabilidad es una omisi\u00f3n de la autenticaci\u00f3n basada en una falla al manejar adecuadamente el nombre de usuario y la contrase\u00f1a. Cierto contenido inesperado que se pasa a las credenciales puede provocar un acceso no autorizado sin la autenticaci\u00f3n adecuada."}], "id": "CVE-2024-1403", "lastModified": "2025-02-11T17:40:59.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-27T16:15:45.643", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/openedge"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/openedge"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}