Cyber Resilience

CVE-2024-1403

Critical

Published: 27 February 2024

Published
27 February 2024
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1624 95.0th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1403 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Progress Openedge. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-1403 is an authentication bypass vulnerability in Progress OpenEdge Authentication Gateway and AdminServer, affecting all supported platforms in versions prior to 11.7.19, 12.2.14, and 12.8.1. The flaw stems from improper handling of username and password credentials, where unexpected content supplied in authentication requests can circumvent checks and grant access without valid credentials. It is tracked under CWE-305 and carries a CVSS 3.1 base score of 10.0.

An unauthenticated attacker with network access can exploit the issue by submitting crafted credential data to the affected components, resulting in unauthorized access that may allow full compromise of confidentiality, integrity, and availability within the scope of the vulnerable service.

Progress security advisories direct customers to upgrade OpenEdge Authentication Gateway and AdminServer to the fixed releases 11.7.19, 12.2.14, or 12.8.1. The EPSS score has remained near 0.16 with only minor variation between its recorded peak and current value, indicating no pronounced post-disclosure surge in exploitation interest.

EU & UK References

Vulnerability details

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle…

more

username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
openedge
≤ 11.7.19 · 11.8 — 12.2.14 · 12.3 — 12.8.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References