OpenEdge Hostname Validation Bypass via Default TLS Certs
CVE-2024-7346 Published on September 3, 2024
Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
Vulnerability Analysis
CVE-2024-7346 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Validation of Certificate with Host Mismatch
The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
Products Associated with CVE-2024-7346
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-7346 are published in Progress Openedge:
Affected Versions
Progress OpenEdge:- Version 11.7.0, <= 11.7.19 is affected.
- Version 12.2.0, <= 12.2.14 is affected.
- Version 12.8.0 is unaffected.
- Version 11.7.0, <= 11.7.19 is affected.
- Version 12.2.0, <= 12.2.14 is affected.
- Version 12.8.0 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.