Lucene search

[email protected]CVE-2023-4501

HistorySep 12, 2023 - 7:15 p.m.

CVE-2023-4501

2023-09-1219:15:36

CWE-305

CWE-358

CWE-287

CWE-253

[email protected]

web.nvd.nist.gov

cve-2023-4501

opentext

micro focus

visual cobol

cobol server

enterprise developer

enterprise server

ldap

authentication

vulnerability

mitigations

administrators

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user.

Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon.

Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.

Affected configurations

NVD

Node

microfocuscobol_serverMatch7.0patch_update_19

microfocuscobol_serverMatch7.0patch_update_20

microfocuscobol_serverMatch8.0patch_update_8

microfocuscobol_serverMatch8.0patch_update_9

microfocuscobol_serverMatch9.0patch_update_1

microfocusenterprise_developerMatch7.0patch_update_19

microfocusenterprise_developerMatch7.0patch_update_20

microfocusenterprise_developerMatch8.0patch_update_8

microfocusenterprise_developerMatch8.0patch_update_9

microfocusenterprise_developerMatch9.0patch_update_1

microfocusenterprise_serverMatch7.0patch_update_19

microfocusenterprise_serverMatch7.0patch_update_20

microfocusenterprise_serverMatch8.0patch_update_8

microfocusenterprise_serverMatch8.0patch_update_9

microfocusenterprise_serverMatch9.0patch_update_1

microfocusenterprise_test_serverMatch7.0patch_update_19

microfocusenterprise_test_serverMatch7.0patch_update_20

microfocusenterprise_test_serverMatch8.0patch_update_8

microfocusenterprise_test_serverMatch8.0patch_update_9

microfocusenterprise_test_serverMatch9.0patch_update_1

microfocusvisual_cobolMatch7.0patch_update_19

microfocusvisual_cobolMatch7.0patch_update_20

microfocusvisual_cobolMatch8.0patch_update_8

microfocusvisual_cobolMatch8.0patch_update_9

microfocusvisual_cobolMatch9.0patch_update_1

CPENameOperatorVersion
microfocus:cobol_servermicrofocus cobol servereq7.0
microfocus:cobol_servermicrofocus cobol servereq8.0
microfocus:cobol_servermicrofocus cobol servereq9.0
microfocus:enterprise_developermicrofocus enterprise developereq7.0
microfocus:enterprise_developermicrofocus enterprise developereq8.0
microfocus:enterprise_developermicrofocus enterprise developereq9.0
microfocus:enterprise_servermicrofocus enterprise servereq7.0
microfocus:enterprise_servermicrofocus enterprise servereq8.0
microfocus:enterprise_servermicrofocus enterprise servereq9.0
microfocus:enterprise_test_servermicrofocus enterprise test servereq7.0

CPE	Name	Operator	Version
microfocus:cobol_server	microfocus cobol server	eq	7.0
microfocus:cobol_server	microfocus cobol server	eq	8.0
microfocus:cobol_server	microfocus cobol server	eq	9.0
microfocus:enterprise_developer	microfocus enterprise developer	eq	7.0
microfocus:enterprise_developer	microfocus enterprise developer	eq	8.0
microfocus:enterprise_developer	microfocus enterprise developer	eq	9.0
microfocus:enterprise_server	microfocus enterprise server	eq	7.0
microfocus:enterprise_server	microfocus enterprise server	eq	8.0
microfocus:enterprise_server	microfocus enterprise server	eq	9.0
microfocus:enterprise_test_server	microfocus enterprise test server	eq	7.0

Rows per page:

1-10 of 151

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "Linux",
      "AIX Solaris HP-UX"
    ],
    "product": "Visual COBOL, COBOL Server, Enterprise Developer, Enterprise Server",
    "vendor": "OpenText",
    "versions": [
      {
        "lessThan": "7.0.21",
        "status": "affected",
        "version": "7.0.19",
        "versionType": "patch update"
      },
      {
        "lessThan": "8.0.10",
        "status": "affected",
        "version": "8.0.8",
        "versionType": "patch update"
      },
      {
        "lessThan": "9.0.2",
        "status": "affected",
        "version": "9.0.1",
        "versionType": "patch update"
      }
    ]
  }
]

References

portal.microfocus.com/s/article/KM000021287

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for CVE-2023-4501

prion1 cvelist1 nvd1