{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-32265", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2023-05-05T14:42:20.153Z", "datePublished": "2023-07-20T13:01:38.269Z", "dateUpdated": "2023-07-20T13:01:38.269Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Enterprise Server", "vendor": "Micro Focus", "versions": [{"lessThanOrEqual": "6.0 update 24", "status": "affected", "version": "6.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0 update 17", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0 update 6", "status": "affected", "version": "8.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Enterprise Test Server", "vendor": "Micro Focus", "versions": [{"lessThanOrEqual": "6.0 update 24", "status": "affected", "version": "6.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0 update 17", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0 update 6", "status": "affected", "version": "8.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Enterprise Developer", "vendor": "Micro Focus", "versions": [{"lessThanOrEqual": "6.0 update 24", "status": "affected", "version": "6.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0 update 17", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0 update 6", "status": "affected", "version": "8.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Visual COBOL", "vendor": "Micro Focus", "versions": [{"lessThanOrEqual": "6.0 update 24", "status": "affected", "version": "6.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0 update 17", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0 update 6", "status": "affected", "version": "8.0 ", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "COBOL Server", "vendor": "Micro Focus", "versions": [{"lessThanOrEqual": "6.0 update 24", "status": "affected", "version": "6.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0 update 17", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0 update 6", "status": "affected", "version": "8.0 ", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Richard R Rohrkemper III @Early Warning Security "}], "datePublic": "2023-07-19T13:50:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.</span><br><span style=\"background-color: rgb(255, 255, 255);\">An attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users\u00e2\u20ac\u2122 permissions in the Micro Focus Directory Server also reduce the exposure to this issue.</span><br><br><span style=\"background-color: rgb(255, 255, 255);\">Given the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.</span>\n\n"}], "value": "\nA potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.\nAn attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users\u00e2\u20ac\u2122 permissions in the Micro Focus Directory Server also reduce the exposure to this issue.\n\nGiven the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.\n\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Password exposure for service account"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2023-07-20T13:01:38.269Z"}, "references": [{"url": "https://portal.microfocus.com/s/article/KM000019323?language=en_US"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server Versions 6.0, 7.0, and 8.0 all include a fix for this issue in their latest released patch updates.</span>\n\n<br>"}], "value": "\nEnterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server Versions 6.0, 7.0, and 8.0 all include a fix for this issue in their latest released patch updates.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Mitigations and availability of updates relating to security vulnerability in ESCWA component CVE-2023-32265.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:cobol_server:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "3126671E-BE13-4240-B51F-C6FC9F3BABCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:cobol_server:7.0:-:*:*:*:*:*:*", "matchCriteriaId": "BD7DBDAA-E0C3-44E7-897F-59ED52990741", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:cobol_server:8.0:-:*:*:*:*:*:*", "matchCriteriaId": "1A2BBD33-F853-494F-98FA-F5436AA6D4B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_developer:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "EF035EDF-2882-49C0-BABA-BA74169077CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_developer:7.0:-:*:*:*:*:*:*", "matchCriteriaId": "9E523EE6-1949-4890-97AD-6C06062115B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_developer:8.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E411AFF-F1FF-4548-B2F0-DC15016FCACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_server:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "681ED2CA-D5DE-4828-AD4C-22042927AD56", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_server:7.0:-:*:*:*:*:*:*", "matchCriteriaId": "B43620BE-A850-4CB8-958E-802744DAE5EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_server:8.0:-:*:*:*:*:*:*", "matchCriteriaId": "1F47D3F3-6779-4501-B53D-A423F325BC7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_test_server:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "F25363C5-6E2E-4A96-A6C7-4111ECCDC452", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_test_server:7.0:-:*:*:*:*:*:*", "matchCriteriaId": "ADC1491E-5BCB-4FB2-864E-3246C5F2ABEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:enterprise_test_server:8.0:-:*:*:*:*:*:*", "matchCriteriaId": "08FD4630-9410-4335-9F07-A05D92CAB9B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:visual_cobol:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "A60B87CD-A7FC-4761-A2F3-702EDE8AFA2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:visual_cobol:7.0:-:*:*:*:*:*:*", "matchCriteriaId": "3440F8D5-194F-4592-A847-859353250DC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:visual_cobol:8.0:-:*:*:*:*:*:*", "matchCriteriaId": "512DEAD9-6ABF-42FC-AD28-6F1BD039B8D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nA potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.\nAn attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users\u00e2\u20ac\u2122 permissions in the Micro Focus Directory Server also reduce the exposure to this issue.\n\nGiven the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.\n\n"}], "id": "CVE-2023-32265", "lastModified": "2023-07-31T17:06:15.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2023-07-20T14:15:11.193", "references": [{"source": "security@opentext.com", "tags": ["Vendor Advisory"], "url": "https://portal.microfocus.com/s/article/KM000019323?language=en_US"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}