CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7346 – Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation
https://notcve.org/view.php?id=CVE-2024-7346
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation. • https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7345 – Direct local client connections to MS Agents can bypass authentication
https://notcve.org/view.php?id=CVE-2024-7345
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms • https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-7654 – Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service
https://notcve.org/view.php?id=CVE-2024-7654
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default. • https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2024-1403 – Authentication Bypass in OpenEdge Authentication Gateway and AdminServer
https://notcve.org/view.php?id=CVE-2024-1403
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication. En OpenEdge Authentication Gateway y AdminServer anteriores a 11.7.19, 12.2.14, 12.8.1 en todas las plataformas compatibles con el producto OpenEdge, se identificó una vulnerabilidad de omisión de autenticación. La vulnerabilidad es una omisión de la autenticación basada en una falla al manejar adecuadamente el nombre de usuario y la contraseña. • https://github.com/horizon3ai/CVE-2024-1403 https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer https://www.progress.com/openedge • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-40052 – Progress Application Server (PAS) for OpenEdge Denial of Service
https://notcve.org/view.php?id=CVE-2023-40052
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server’s remaining ability to process valid requests. Este problema afecta a Progress Application Server (PAS) para OpenEdge en las versiones 11.7 anteriores a 11.7.18, 12.2 anteriores a 12.2.13 y versiones de innovación anteriores a 12.8.0. Un atacante que pueda generar una solicitud web con formato incorrecto puede provocar el bloqueo de un agente PASOE, lo que podría interrumpir las actividades de subprocesos de muchos clientes de aplicaciones web. Varios de estos ataques DoS podrían provocar una inundación de solicitudes no válidas en comparación con la capacidad restante del servidor para procesar solicitudes válidas. • https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport https://www.progress.com/openedge • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •