CVE-2023-40051

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0.An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE.  If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
ProgressSoftwareCNA
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
progressopenedge
11.7 ≤
𝑥
< 11.7.18
progressopenedge
12.2 ≤
𝑥
< 12.2.13
progressopenedge_innovation
𝑥
< 12.8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://community.progress.com/s/article/Important-Progress-OpenEdge-Critical-Alert-for-Progress-Application-Server-in-OpenEdge-PASOE-Arbitrary-File-Upload-Vulnerability-in-WEB-Transport
https://www.progress.com/openedge
https://community.progress.com/s/article/Important-Progress-OpenEdge-Critical-Alert-for-Progress-Application-Server-in-OpenEdge-PASOE-Arbitrary-File-Upload-Vulnerability-in-WEB-Transport
https://www.progress.com/openedge