Unattended Remote Code Execution Vulnerability in Oracle Essbase Administration Services
CVE-2021-35652

10CRITICAL

Key Information:

Vendor: Oracle
Status: Hyperion Essbase Administration Services
Vendor: CVE Published:; 20 October 2021

Summary

A vulnerability in Oracle's Essbase Administration Services component allows an unauthenticated attacker with network access via HTTP to compromise the services. Affected versions include those prior to 11.1.2.4.046 and 21.3, making it particularly critical for users operating outdated releases. Successful exploitation can lead to full control over Essbase Administration Services, posing significant risk to its integrity, confidentiality, and availability. Attackers can leverage this vulnerability to perform unauthorized actions, resulting in widespread consequences across additional Oracle products.

Affected Version(s)

Hyperion Essbase Administration Services < 11.1.2.4.046

Hyperion Essbase Administration Services < 21.3

References

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 20, 2021
Vulnerability Reserved
Jun 28, 2021