In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.
The vulnerability results from improper handling of username and password during the authentication process. Passing unexpected content in authentication data fields causes an error in the verification logic, resulting in the bypass of access control mechanisms. As a result, an attacker can gain access to protected resources without providing valid credentials.
A remote unauthenticated attacker can gain unauthorized access to the system with potentially full privileges, threatening the confidentiality, integrity, and availability of protected data and services.
The software must be updated immediately to version 11.7.19, 12.2.14, or 12.8.1 (depending on the branch in use). Detailed instructions are available in the official security bulletin from the vendor at the address indicated in the references.
Progress OpenEdge Authentication Gateway and AdminServer in all versions prior to 11.7.19, 12.2.14, and 12.8.1 on all platforms supported by the OpenEdge product.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HProgress Openedge
APPProgress< 11.7.1911.8 – 12.2.14 (bez)12.3 – 12.8.1 (bez)
Related vulnerabilities
Dowolne przesyłanie plików w Progress Application Server dla OpenEdge (PASOE)
Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote atta...
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized cod...
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are use...
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OE...