CVE-2024-7345
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Progress | OpenEdge | 11.7.0 <= 11.7.19 | affected |
| Progress | OpenEdge | 12.2.0 <= 12.2.14 | affected |
| Progress | OpenEdge | 12.8.0 | unaffected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
Workarounds
Do not put client software on host webserver systems Ensure the "AppServer.SessMgr.agentHost" property is set to "localhost" unless you are multi-hosting a single Webserver system Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver's published listening port Launch PASOE agent processes with "least privilege" system resource capabilities
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.