CVE-2024-1403
Published: 27 February 2024
Summary
CVE-2024-1403 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Progress Openedge. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-1403 is an authentication bypass vulnerability in Progress OpenEdge Authentication Gateway and AdminServer, affecting all supported platforms in versions prior to 11.7.19, 12.2.14, and 12.8.1. The flaw stems from improper handling of username and password credentials, where unexpected content supplied in authentication requests can circumvent checks and grant access without valid credentials. It is tracked under CWE-305 and carries a CVSS 3.1 base score of 10.0.
An unauthenticated attacker with network access can exploit the issue by submitting crafted credential data to the affected components, resulting in unauthorized access that may allow full compromise of confidentiality, integrity, and availability within the scope of the vulnerable service.
Progress security advisories direct customers to upgrade OpenEdge Authentication Gateway and AdminServer to the fixed releases 11.7.19, 12.2.14, or 12.8.1. The EPSS score has remained near 0.16 with only minor variation between its recorded peak and current value, indicating no pronounced post-disclosure surge in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17158
Vulnerability details
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle…
more
username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.