CVE-2023-40052 - Vulnerability Details - OpenCVE

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server’s remaining ability to process valid requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Openedge Openedge Innovation

Configuration 1 [-]

OR	cpe:2.3:a:progress:openedge::::::::
	cpe:2.3:a:progress:openedge::::::::

Configuration 2 [-]

cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport
https://www.progress.com/openedge

History

No history.

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-01-18T15:11:51.468Z

Updated: 2024-08-29T19:52:53.852Z

Reserved: 2023-08-08T19:44:41.113Z

Link: CVE-2023-40052

Vulnrichment

Updated: 2024-08-02T18:24:54.659Z

NVD

Status : Modified

Published: 2024-01-18T15:15:09.247

Modified: 2024-11-21T08:18:36.560

Link: CVE-2023-40052

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40052", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2023-08-08T19:44:41.113Z", "datePublished": "2024-01-18T15:11:51.468Z", "dateUpdated": "2024-08-29T19:52:53.852Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Progress Application Server (PAS) for OpenEdge"], "product": "OpenEdge", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "11.7.18", "status": "affected", "version": "11.7.0", "versionType": "semver"}, {"lessThan": "12.2.13", "status": "affected", "version": "12.2.0", "versionType": "semver"}, {"lessThan": "12.8.0", "status": "affected", "version": "Innovation Releases", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n. \n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n</p>"}], "value": "\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n.\u00a0\n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-01-18T16:05:57.443Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport"}], "source": {"discovery": "UNKNOWN"}, "title": "Progress Application Server (PAS) for OpenEdge Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.659Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport"}]}, {"affected": [{"vendor": "progress", "product": "openedge", "cpes": ["cpe:2.3:a:progress:openedge:-:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "11.7", "status": "affected", "lessThan": "11.7.18", "versionType": "semver"}, {"version": "12.2.0", "status": "affected", "lessThan": "12.2.13", "versionType": "semver"}]}, {"vendor": "progress", "product": "openedge_innovation", "cpes": ["cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "12.8.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-26T19:36:44.054706Z", "id": "CVE-2023-40052", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T19:52:53.852Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.progress.com/openedge", "tags": ["product", "x_transferred"]}, {"url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.659Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40052", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-26T19:36:44.054706Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:openedge:-:*:*:*:*:*:*:*"], "vendor": "progress", "product": "openedge", "versions": [{"status": "affected", "version": "11.7", "lessThan": "11.7.18", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.13", "versionType": "semver"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "openedge_innovation", "versions": [{"status": "affected", "version": "0", "lessThan": "12.8.0", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:16:43.772Z"}}], "cna": {"title": "Progress Application Server (PAS) for OpenEdge Denial of Service", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "modules": ["Progress Application Server (PAS) for OpenEdge"], "product": "OpenEdge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.18", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.13", "versionType": "semver"}, {"status": "affected", "version": "Innovation Releases", "lessThan": "12.8.0", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/openedge", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n.\u00a0\n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>\n\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n. \n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-01-18T16:05:57.443Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40052", "state": "PUBLISHED", "dateUpdated": "2024-08-29T19:52:53.852Z", "dateReserved": "2023-08-08T19:44:41.113Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-01-18T15:11:51.468Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "7298E8E1-4C6A-4AE7-954E-480F86D8B8E1", "versionEndExcluding": "11.7.18", "versionStartIncluding": "11.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "2057ECB7-5DD8-485F-9D43-560A152C883C", "versionEndExcluding": "12.2.13", "versionStartIncluding": "12.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*", "matchCriteriaId": "59216BF0-5044-4252-AB97-B63FFAA84F24", "versionEndExcluding": "12.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n.\u00a0\n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n\n\n"}, {"lang": "es", "value": "Este problema afecta a Progress Application Server (PAS) para OpenEdge en las versiones 11.7 anteriores a 11.7.18, 12.2 anteriores a 12.2.13 y versiones de innovaci\u00f3n anteriores a 12.8.0. Un atacante que pueda generar una solicitud web con formato incorrecto puede provocar el bloqueo de un agente PASOE, lo que podr\u00eda interrumpir las actividades de subprocesos de muchos clientes de aplicaciones web. Varios de estos ataques DoS podr\u00edan provocar una inundaci\u00f3n de solicitudes no v\u00e1lidas en comparaci\u00f3n con la capacidad restante del servidor para procesar solicitudes v\u00e1lidas."}], "id": "CVE-2023-40052", "lastModified": "2024-11-21T08:18:36.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-18T15:15:09.247", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/openedge"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/openedge"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}