CVE-2024-1403 - Vulnerability Details - OpenCVE

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Openedge

Configuration 1 [-]

OR	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*

No data.

References

Link	Providers
https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer
https://www.progress.com/openedge

History

Tue, 11 Feb 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress openedge
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:progress:openedge:::::lts:::*
Vendors & Products		Progress Progress openedge

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-02-27T15:39:54.850Z

Updated: 2024-08-12T19:27:43.016Z

Reserved: 2024-02-09T15:46:27.472Z

Link: CVE-2024-1403

Vulnrichment

Updated: 2024-08-01T18:40:21.248Z

NVD

Status : Analyzed

Published: 2024-02-27T16:15:45.643

Modified: 2025-02-11T17:40:59.267

Link: CVE-2024-1403

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1403", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-02-09T15:46:27.472Z", "datePublished": "2024-02-27T15:39:54.850Z", "dateUpdated": "2024-08-12T19:27:43.016Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["OpenEdge Authentication Gateway", "AdminServer"], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "product": "OpenEdge", "vendor": "Progress", "versions": [{"lessThan": "11.7.19", "status": "affected", "version": "11.7.0", "versionType": "semver"}, {"lessThan": "12.2.14", "status": "affected", "version": "12.2.0", "versionType": "semver"}, {"lessThan": "12.8.1", "status": "affected", "version": "12.8.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication.   \n\n\n\n\n\n<br>"}], "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-27T15:39:54.850Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}], "source": {"discovery": "UNKNOWN"}, "title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.248Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/openedge"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}]}, {"affected": [{"vendor": "progress", "product": "openedge", "cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "11.7.0", "status": "affected", "lessThan": "11.7.19", "versionType": "semver"}, {"version": "12.2.0", "status": "affected", "lessThan": "12.2.14", "versionType": "semver"}, {"version": "12.8.0", "status": "affected", "lessThan": "12.8.1", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-16T04:00:49.775339Z", "id": "CVE-2024-1403", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:27:43.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.progress.com/openedge", "tags": ["product", "x_transferred"]}, {"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.248Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-16T04:00:49.775339Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "openedge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.14", "versionType": "semver"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.1", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:27:37.068Z"}}], "cna": {"title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress", "modules": ["OpenEdge Authentication Gateway", "AdminServer"], "product": "OpenEdge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.14", "versionType": "semver"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.1", "versionType": "semver"}], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/openedge", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication.   \n\n\n\n\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-27T15:39:54.850Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1403", "state": "PUBLISHED", "dateUpdated": "2024-08-12T19:27:43.016Z", "dateReserved": "2024-02-09T15:46:27.472Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-02-27T15:39:54.850Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "EE51C6DF-9ADA-4C9C-9820-94DD94ADA656", "versionEndExcluding": "11.7.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "6BD175A1-83AF-410B-9CEE-C9B65F32F3B4", "versionEndExcluding": "12.2.14", "versionStartIncluding": "11.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D2D98FDE-6A77-4604-904C-43ABCE323D48", "versionEndExcluding": "12.8.1", "versionStartIncluding": "12.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"}, {"lang": "es", "value": "En OpenEdge Authentication Gateway y AdminServer anteriores a 11.7.19, 12.2.14, 12.8.1 en todas las plataformas compatibles con el producto OpenEdge, se identific\u00f3 una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. La vulnerabilidad es una omisi\u00f3n de la autenticaci\u00f3n basada en una falla al manejar adecuadamente el nombre de usuario y la contrase\u00f1a. Cierto contenido inesperado que se pasa a las credenciales puede provocar un acceso no autorizado sin la autenticaci\u00f3n adecuada."}], "id": "CVE-2024-1403", "lastModified": "2025-02-11T17:40:59.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-27T16:15:45.643", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/openedge"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/openedge"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}