CVE-2016-0456

Currently unrated

Key Information:

Vendor: Oracle
Status: E-business Suite
Vendor: CVE Published:; 21 January 2016

Summary

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to REST Framework, a different vulnerability than CVE-2016-0457. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/copxmllcmservicecontroller.js.

References

http://www.oracle.com/technetwork/topics/security/cpujan2...

x_refsource_CONFIRM

http://www.securitytracker.com/id/1034726

vdb-entryx_refsource_SECTRACK

https://erpscan.io/advisories/erpscan-16-006-oracle-e-bus...

x_refsource_MISC

Timeline

Vulnerability published
Jan 21, 2016
Vulnerability Reserved
Dec 9, 2015