CVE Tools
Sign in

CVE-2023-4501

Authentication bypass in OpenText (Micro Focus) Enterprise Server

Published: Sep 12, 2023Updated: Nov 21, 2024 Sources: CVE List NVDCWE-253
NVD MITRE
9.8CVSSCRITICAL
EPSS Score
0.6%
Top 55.0%
CISA KEV
Not in KEV
Exploits
0 Known
Remediation
Patch Available

Description

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-253CWE-287CWE-305CWE-358

Affected Products

Visual COBOL, COBOL Server, Enterprise Developer, Enterprise ServerOpenText
On-prem
Enterprise Software / document-mgmt
cobol servermicrofocusSecurity Products
enterprise developermicrofocusSecurity Products
enterprise servermicrofocusSecurity Products
enterprise test servermicrofocusSecurity Products
opentextcommercialCAEnterprise Softwareaka opentext corp., opentext corporation
microfocuscommercialGBSecurity Productsaka micro focus, microfocus
and 1 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

0 exploit sources identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available
Workaround Available

MITRE ATT&CK

2 techniques
Initial Access
View detailed technique mapping

References

https://portal.microfocus.com/s/article/KM000021287
portal.microfocus.com

Timeline

Published
Sep 12, 2023
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-4501 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows