CVE-2024-7346: 
Progress OpenEdge vulnerability analysis and mitigation

CVE-2024-7346 is a security vulnerability affecting OpenEdge software where host name validation for TLS certificates is bypassed when using installed OpenEdge default certificates during TLS handshake for networked connections. The vulnerability was disclosed in September 2024 and affects OpenEdge versions up to 11.7.19 and LTS versions from 12.0 up to 12.2.14 (NVD).

The vulnerability allows bypass of host name validation when using default OpenEdge TLS certificates for network connections. It has received a CVSS v3.1 base score of 7.2 (HIGH) from Progress Software Corporation with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, while NIST assigned a score of 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-297 (Improper Validation of Certificate with Host Mismatch) (NVD).

When exploited, this vulnerability could lead to security issues as the default certificates override host name validation, potentially compromising the security of networked connections. This affects the integrity of TLS certificate validation processes, which are crucial for secure network communications (NVD).

The recommended mitigation is to replace the existing default certificates with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation. This ensures that default certificates can no longer override host name validation where full TLS certificate validation is needed for network security (NVD).