CVE-2015-9245

Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.

Published: Oct 31, 2017
Updated: Apr 13, 2023
CVE: CVE-2015-9245
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
progress / openedge	11.2	11.2.x
progress / openedge	11.5	11.5.x
progress / openedge	11.4	11.4.x
progress / openedge	11.3	11.3.x
progress / openedge	11.1	11.1.x
progress / openedge	11.0	11.0.x
progress / openedge	10.2b08	10.2b08.x
progress / openedge	10.2b07	10.2b07.x
progress / openedge	10.2a	10.2a.x
progress / openedge	10.2b	10.2b.x

https://knowledgebase.progress.com/articles/Article/How-to-prevent-Java-RMI-class-loader-exploit-with-AdminServer

Vulnerability Database

CVE-2015-9245

Deep Security Visibility Without the Complexity