Remote Authentication Bypass in Oracle Application Testing Suite
CVE-2016-0492

Currently unrated

Key Information:

Vendor: Oracle
Status: Application Testing Suite
Vendor: CVE Published:; 21 January 2016

Summary

An unspecified vulnerability in the Oracle Application Testing Suite component of Oracle Enterprise Manager Grid Control versions 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity. The vulnerability pertains to Load Testing for Web Applications and may involve a directory traversal issue in the isAllowedUrl function, enabling remote attackers to bypass authentication by employing directory traversal sequences after a non-authenticated URI entry. This has been illustrated through exploited vectors such as olt/Login.do/../../olt/UploadFileUpload.do.

References

http://www.zerodayinitiative.com/advisories/ZDI-16-042

x_refsource_MISC

https://www.exploit-db.com/exploits/39852/

exploitx_refsource_EXPLOIT-DB

http://www.oracle.com/technetwork/topics/security/cpujan2...

x_refsource_CONFIRM

EPSS Score

91% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jan 21, 2016
Vulnerability Reserved
Dec 9, 2015