CVE-2023-4501

Name: CVE-2023-4501
Creator: NVD / NIST
Published: 2023-09-12T19:15:36.333+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 0.62%

Last modified Jun 17, 2026

CVE-2023-4501 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). EPSS estimates a 0.62% chance of exploitation in the next 30 days.

Description

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.62%

45.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Microfocus	Cobol Server	7.0	Patch Update 19
Microfocus	Cobol Server	8.0	Patch Update 8
Microfocus	Cobol Server	9.0	Patch Update 1
Microfocus	Enterprise Developer	7.0	Patch Update 19
Microfocus	Enterprise Developer	8.0	Patch Update 8
Microfocus	Enterprise Developer	9.0	Patch Update 1
Microfocus	Enterprise Server	7.0	Patch Update 19
Microfocus	Enterprise Server	8.0	Patch Update 8
Microfocus	Enterprise Server	9.0	Patch Update 1
Microfocus	Enterprise Test Server	7.0	Patch Update 19
Microfocus	Enterprise Test Server	8.0	Patch Update 8
Microfocus	Enterprise Test Server	9.0	Patch Update 1
Microfocus	Visual Cobol	7.0	Patch Update 19
Microfocus	Visual Cobol	8.0	Patch Update 8
Microfocus	Visual Cobol	9.0	Patch Update 1

References

https://portal.microfocus.com/s/article/KM000021287Vendor Advisory
https://portal.microfocus.com/s/article/KM000021287Vendor Advisory

Timeline

Published: Sep 12, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-4501?

How severe is CVE-2023-4501?

CVE-2023-4501 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.62% probability of exploitation in the next 30 days.

How do I fix CVE-2023-4501?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-4501?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST