Progress Application Server (PAS) for OpenEdge File Upload via Directory Traversal
CVE-2023-40051

9.9CRITICAL

Key Information:

Vendor: Progress Software
Status: OpenEdge
Vendor: CVE Published:; 18 January 2024

Summary

The identified vulnerability within Progress Application Server for OpenEdge enables attackers to send specially crafted requests via the WEB transport protocol. This can lead to unintended file uploads to directories on the server system. If the uploaded file contains a malicious payload, this can potentially allow attackers to exploit the server further, leading to severe impacts on the server's integrity and security, possibly paving the way for large-scale attacks on the server or its connected network.

Affected Version(s)

OpenEdge 11.7.0

OpenEdge 11.7.0 < 11.7.18

OpenEdge 12.2.0 < 12.2.13

References

https://www.progress.com/openedge

product

https://community.progress.com/s/article/Important-Progre...

vendor-advisory

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 18, 2024
Vulnerability Reserved
Aug 8, 2023

Collectors

NVD DatabaseMitre Database