CVE-2024-7745 - OpenCVE

In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Progress	Ws Ftp Server

Configuration 1 [-]

cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024
https://www.progress.com/ftp-server

History

Wed, 04 Sep 2024 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287
CPEs		cpe:2.3:a:progress:ws_ftp_server::::::::

Wed, 28 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress ws Ftp Server
CPEs		cpe:2.3:a:progress:ws_ftp_server:-:::::::*
Vendors & Products		Progress Progress ws Ftp Server
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 28 Aug 2024 16:45:00 +0000

Type	Values Removed	Values Added
Description		In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
Title		Multi-Factor Authentication Bypass in Progress WS_FTP Server
Weaknesses		CWE-290 CWE-304
References		https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 https://www.progress.com/ftp-server
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-08-28T16:31:03.604Z

Updated: 2024-08-28T17:43:13.099Z

Reserved: 2024-08-13T14:28:44.585Z

Link: CVE-2024-7745

Vulnrichment

Updated: 2024-08-28T17:42:32.255Z

NVD

Status : Analyzed

Published: 2024-08-28T17:15:11.593

Modified: 2024-09-04T17:57:57.637

Link: CVE-2024-7745

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7745", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-08-13T14:28:44.585Z", "datePublished": "2024-08-28T16:31:03.604Z", "dateUpdated": "2024-08-28T17:43:13.099Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "WS_FTP Server", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "8.8.8", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "isira_adithya from BugCrowd"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.</span><br>"}], "value": "In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "CWE-304 Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-28T16:31:03.604Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024"}, {"tags": ["product"], "url": "https://www.progress.com/ftp-server"}], "source": {"discovery": "EXTERNAL"}, "title": "Multi-Factor Authentication Bypass in Progress WS_FTP Server", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "progress", "product": "ws_ftp_server", "cpes": ["cpe:2.3:a:progress:ws_ftp_server:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "8.8.8", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T17:40:35.624678Z", "id": "CVE-2024-7745", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T17:43:13.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7745", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-28T17:40:35.624678Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:ws_ftp_server:-:*:*:*:*:*:*:*"], "vendor": "progress", "product": "ws_ftp_server", "versions": [{"status": "affected", "version": "0", "lessThan": "8.8.8", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T17:42:32.255Z"}}], "cna": {"title": "Multi-Factor Authentication Bypass in Progress WS_FTP Server", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "isira_adithya from BugCrowd"}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "product": "WS_FTP Server", "versions": [{"status": "affected", "version": "0", "lessThan": "8.8.8", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024", "tags": ["vendor-advisory"]}, {"url": "https://www.progress.com/ftp-server", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-304", "description": "CWE-304 Missing Critical Step in Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-28T16:31:03.604Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7745", "state": "PUBLISHED", "dateUpdated": "2024-08-28T17:43:13.099Z", "dateReserved": "2024-08-13T14:28:44.585Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-08-28T16:31:03.604Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C8672E4-5F87-4A71-93F9-914643F56F4F", "versionEndExcluding": "8.8.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only."}, {"lang": "es", "value": "En las versiones del servidor WS_FTP anteriores a 8.8.8 (2022.0.8), un paso cr\u00edtico faltante en la autenticaci\u00f3n multifactor del m\u00f3dulo de transferencia web permite a los usuarios omitir la verificaci\u00f3n de segundo factor e iniciar sesi\u00f3n solo con nombre de usuario y contrase\u00f1a."}], "id": "CVE-2024-7745", "lastModified": "2024-09-04T17:57:57.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2024-08-28T17:15:11.593", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/ftp-server"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-304"}], "source": "security@progress.com", "type": "Secondary"}]}