CVE-2023-32265

Summary

A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server. An attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users’ permissions in the Micro Focus Directory Server also reduce the exposure to this issue.

Given the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.

Affected Software

VendorProductVersion RangeStatus
Micro FocusEnterprise Server6.0 <= 6.0 update 24affected
Micro FocusEnterprise Server7.0 <= 7.0 update 17affected
Micro FocusEnterprise Server8.0 <= 8.0 update 6affected
Micro FocusEnterprise Test Server6.0 <= 6.0 update 24affected
Micro FocusEnterprise Test Server7.0 <= 7.0 update 17affected
Micro FocusEnterprise Test Server8.0 <= 8.0 update 6affected
Micro FocusEnterprise Developer6.0 <= 6.0 update 24affected
Micro FocusEnterprise Developer7.0 <= 7.0 update 17affected
Micro FocusEnterprise Developer8.0 <= 8.0 update 6affected
Micro FocusVisual COBOL6.0 <= 6.0 update 24affected
Micro FocusVisual COBOL7.0 <= 7.0 update 17affected
Micro FocusVisual COBOL8.0 <= 8.0 update 6affected
Micro FocusCOBOL Server6.0 <= 6.0 update 24affected
Micro FocusCOBOL Server7.0 <= 7.0 update 17affected
Micro FocusCOBOL Server8.0 <= 8.0 update 6affected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References