Unauthenticated Remote Code Execution in Oracle E-Business Suite - CRM User Management Framework
CVE-2021-2436

8.2HIGH

Key Information:

Vendor: Oracle
Status: Common Applications
Vendor: CVE Published:; 20 July 2021

Summary

A vulnerability in the Oracle Common Applications component of Oracle E-Business Suite's CRM User Management Framework allows an unauthenticated attacker with network access via HTTP to compromise the application. This vulnerability can potentially lead to unauthorized access to sensitive data across various Oracle applications. Successful exploitation requires human interaction from a victim, enhancing its risk profile. Attackers could achieve unauthorized updates, inserts, or deletions of accessible data within the Oracle Common Applications, impacting the confidentiality and integrity of the entire system.

Affected Version(s)

Common Applications 12.1.1-12.1.3

Common Applications 12.2.3-12.2.10

References

https://www.oracle.com/security-alerts/cpujul2021.html

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 20, 2021
Vulnerability Reserved
Dec 9, 2020