CVE-2023-4501

Name of the Vulnerable Software and Affected Versions OpenText (Micro Focus) Visual COBOL versions 7.0 patch updates 19 and 20 OpenText (Micro Focus) Visual COBOL versions 8.0 patch updates 8 and 9 OpenText (Micro Focus) Visual COBOL version 9.0 patch update 1 OpenText (Micro Focus) COBOL Server versions 7.0 patch updates 19 and 20 OpenText (Micro Focus) COBOL Server versions 8.0 patch updates 8 and 9 OpenText (Micro Focus) COBOL Server version 9.0 patch update 1 OpenText (Micro Focus) Enterprise Developer versions 7.0 patch updates 19 and 20 OpenText (Micro Focus) Enterprise Developer versions 8.0 patch updates 8 and 9 OpenText (Micro Focus) Enterprise Developer version 9.0 patch update 1 OpenText (Micro Focus) Enterprise Server versions 7.0 patch updates 19 and 20 OpenText (Micro Focus) Enterprise Server versions 8.0 patch updates 8 and 9 OpenText (Micro Focus) Enterprise Server version 9.0 patch update 1

Description User authentication with username and password credentials is ineffective when LDAP-based authentication is used with certain configurations. This allows an attacker with access to the product to impersonate any user by using any valid username with an incorrect password, or potentially an invalid username with any password. Administrators can test for the vulnerability by attempting to sign on to a component such as ESCWA using a valid username and incorrect password.

Recommendations For OpenText (Micro Focus) Visual COBOL versions 7.0 patch updates 19 and 20, update to the upcoming patch update. For OpenText (Micro Focus) Visual COBOL versions 8.0 patch updates 8 and 9, update to the upcoming patch update. For OpenText (Micro Focus) Visual COBOL version 9.0 patch update 1, update to the upcoming patch update. For OpenText (Micro Focus) COBOL Server versions 7.0 patch updates 19 and 20, update to the upcoming patch update. For OpenText (Micro Focus) COBOL Server versions 8.0 patch updates 8 and 9, update to the upcoming patch update. For OpenText (Micro Focus) COBOL Server version 9.0 patch update 1, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Developer versions 7.0 patch updates 19 and 20, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Developer versions 8.0 patch updates 8 and 9, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Developer version 9.0 patch update 1, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Server versions 7.0 patch updates 19 and 20, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Server versions 8.0 patch updates 8 and 9, update to the upcoming patch update. For OpenText (Micro Focus) Enterprise Server version 9.0 patch update 1, update to the upcoming patch update. As a temporary workaround, consider restricting access to LDAP-based authentication until the patch is available.