Unauthenticated Remote Code Execution in Oracle PeopleSoft Enterprise PeopleTools
CVE-2022-21639

6.1MEDIUM

Key Information:

Vendor: Oracle
Status: Peoplesoft Enterprise Pt Peopletools
Vendor: CVE Published:; 18 October 2022

Summary

An unauthenticated vulnerability exists in Oracle's PeopleSoft Enterprise PeopleTools, specifically within the Elastic Search Integration component, that allows attackers with network access to exploit the system. Affected versions 8.59 and 8.60 permit unauthorized actions including updates, inserts, and deletions of accessible data, as well as unauthorized reading of certain data. Successful exploitation necessitates human interaction from a user other than the attacker, allowing for potential extensive impacts on additional interconnected products. Organizations are encouraged to review their configurations and apply necessary patches to mitigate risks associated with this vulnerability.

Affected Version(s)

PeopleSoft Enterprise PT PeopleTools 8.59

PeopleSoft Enterprise PT PeopleTools 8.60

References

https://www.oracle.com/security-alerts/cpuoct2022.html

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 18, 2022
Vulnerability Reserved
Nov 15, 2021