CVE-2023-40052

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server’s remaining ability to process valid requests.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport	Vendor Advisory
https://www.progress.com/openedge	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:openedge::::::::
	cpe:2.3:a:progress:openedge::::::::

Configuration 2 (hide)

cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-01-18 15:15

Updated : 2024-01-26 15:26

NVD link : CVE-2023-40052

Mitre link : CVE-2023-40052

CVE.ORG link : CVE-2023-40052

JSON object : View

Products Affected

progress

openedge
openedge_innovation

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2023-40052", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-18T15:15:09.247", "references": [{"url": "https://community.progress.com/s/article/Important-Progress-OpenEdge-Product-Alert-for-Progress-Application-Server-for-OpenEdge-PASOE-Denial-of-Service-Vulnerability-in-WEB-Transport", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/openedge", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nThis issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0\n\n.\u00a0\n\nAn attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server\u2019s remaining ability to process valid requests.\n\n\n\n\n\n"}, {"lang": "es", "value": "Este problema afecta a Progress Application Server (PAS) para OpenEdge en las versiones 11.7 anteriores a 11.7.18, 12.2 anteriores a 12.2.13 y versiones de innovaci\u00f3n anteriores a 12.8.0. Un atacante que pueda generar una solicitud web con formato incorrecto puede provocar el bloqueo de un agente PASOE, lo que podr\u00eda interrumpir las actividades de subprocesos de muchos clientes de aplicaciones web. Varios de estos ataques DoS podr\u00edan provocar una inundaci\u00f3n de solicitudes no v\u00e1lidas en comparaci\u00f3n con la capacidad restante del servidor para procesar solicitudes v\u00e1lidas."}], "lastModified": "2024-01-26T15:26:09.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7298E8E1-4C6A-4AE7-954E-480F86D8B8E1", "versionEndExcluding": "11.7.18", "versionStartIncluding": "11.7"}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2057ECB7-5DD8-485F-9D43-560A152C883C", "versionEndExcluding": "12.2.13", "versionStartIncluding": "12.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge_innovation:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59216BF0-5044-4252-AB97-B63FFAA84F24", "versionEndExcluding": "12.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}