Progress Software has disclosed a critical vulnerability in several versions of its Progress Application Server in OpenEdge (PASOE) software.
According to an advisory, CVE-2023-40051 affects OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0.
“An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE,” the advisory states.
“If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible.”
Progress Software explained that the web transport supports file uploads “across all web handlers” via built-in handlers.
“The expected behaviour is that file upload is disabled by default since the value for the ‘fileUploadDirectory’ property in the openedge.properties file is blank,” the company said.
The problem is, the default setting gives the user account that launched the PASOE instance “access to all directories”, and if the directories have write permission, the system is subject to malicious file upload on Linux or on the root drive under Windows.
Users that can’t patch immediately are advised a temporary mitigation is available by setting the “fileUploadDirectory” configuration property to a non-existent directory.