SQL Injection Vulnerability in Oracle Self-Service Human Resources by Oracle
CVE-2023-21834

4.3MEDIUM

Key Information:

Vendor: Oracle
Status: Self-Service Human Resources
Vendor: CVE Published:; 18 January 2023

Summary

An SQL Injection vulnerability exists in the Oracle Self-Service Human Resources component of the Oracle E-Business Suite, specifically in versions 12.2.3 to 12.2.12. This vulnerability can be exploited by an attacker with low privileges who has network access via HTTP. It allows unauthorized access to modify, add, or delete data within the application, posing a significant risk to the integrity of sensitive information.

Affected Version(s)

Self-Service Human Resources 12.2.3-12.2.12

References

https://www.oracle.com/security-alerts/cpujan2023.html

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2023
Vulnerability Reserved
Dec 17, 2022