Vulnerabilites related to Micro Focus - Enterprise Developer
CVE-2023-32265 (GCVE-0-2023-32265)
Vulnerability from cvelistv5
Published
2023-07-20 13:01
Modified
2024-10-21 13:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.
An attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users’ permissions in the Micro Focus Directory Server also reduce the exposure to this issue.
Given the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Micro Focus | Enterprise Server |
Version: 6.0 ≤ 6.0 update 24 Version: 7.0 ≤ 7.0 update 17 Version: 8.0 ≤ 8.0 update 6 |
|||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://portal.microfocus.com/s/article/KM000019323?language=en_US"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:04:02.427181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:05:58.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Server",
"vendor": "Micro Focus",
"versions": [
{
"lessThanOrEqual": "6.0 update 24",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0 update 17",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0 update 6",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Enterprise Test Server",
"vendor": "Micro Focus",
"versions": [
{
"lessThanOrEqual": "6.0 update 24",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0 update 17",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0 update 6",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Enterprise Developer",
"vendor": "Micro Focus",
"versions": [
{
"lessThanOrEqual": "6.0 update 24",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0 update 17",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0 update 6",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Visual COBOL",
"vendor": "Micro Focus",
"versions": [
{
"lessThanOrEqual": "6.0 update 24",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0 update 17",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0 update 6",
"status": "affected",
"version": "8.0 ",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "COBOL Server",
"vendor": "Micro Focus",
"versions": [
{
"lessThanOrEqual": "6.0 update 24",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0 update 17",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0 update 6",
"status": "affected",
"version": "8.0 ",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Richard R Rohrkemper III @Early Warning Security "
}
],
"datePublic": "2023-07-19T13:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users\u00e2\u20ac\u2122 permissions in the Micro Focus Directory Server also reduce the exposure to this issue.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eGiven the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.\u003c/span\u003e\n\n"
}
],
"value": "\nA potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.\nAn attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users\u00e2\u20ac\u2122 permissions in the Micro Focus Directory Server also reduce the exposure to this issue.\n\nGiven the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Password exposure for service account"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-20T13:01:38.269Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://portal.microfocus.com/s/article/KM000019323?language=en_US"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEnterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server Versions 6.0, 7.0, and 8.0 all include a fix for this issue in their latest released patch updates.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nEnterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server Versions 6.0, 7.0, and 8.0 all include a fix for this issue in their latest released patch updates.\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mitigations and availability of updates relating to security vulnerability in ESCWA component CVE-2023-32265.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2023-32265",
"datePublished": "2023-07-20T13:01:38.269Z",
"dateReserved": "2023-05-05T14:42:20.153Z",
"dateUpdated": "2024-10-21T13:05:58.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}