Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2023-32265

Disclosure Date: July 20, 2023
CVE-2023-32265 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server.
An attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting users’ permissions in the Micro Focus Directory Server also reduce the exposure to this issue.

Given the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Enterprise Server 6.0 update 24
Enterprise Server 7.0 update 17
Enterprise Server 8.0 update 6
Enterprise Test Server 6.0 update 24
Enterprise Test Server 7.0 update 17
Enterprise Test Server 8.0 update 6
Enterprise Developer 6.0 update 24
Enterprise Developer 7.0 update 17
Enterprise Developer 8.0 update 6
Visual COBOL 6.0 update 24
Visual COBOL 7.0 update 17
Visual COBOL 8.0 update 6
COBOL Server 6.0 update 24
COBOL Server 7.0 update 17
COBOL Server 8.0 update 6
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microfocus

Products

  • cobol server 6.0,
  • cobol server 7.0,
  • cobol server 8.0,
  • enterprise developer 6.0,
  • enterprise developer 7.0,
  • enterprise developer 8.0,
  • enterprise server 6.0,
  • enterprise server 7.0,
  • enterprise server 8.0,
  • enterprise test server 6.0,
  • enterprise test server 7.0,
  • enterprise test server 8.0,
  • visual cobol 6.0,
  • visual cobol 7.0,
  • visual cobol 8.0

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis