Vulnerability in PeopleSoft Enterprise PeopleTools by Oracle affecting Elastic Search
CVE-2023-21844

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: PeopleSoft Enterprise PT PeopleTools
Vendor: CVE Published:; 18 January 2023

Summary

A vulnerability exists in Oracle's PeopleSoft Enterprise PeopleTools, specifically within the Elastic Search component. This weakness allows low-privileged attackers, with network access via HTTP, to compromise the affected system. Successful exploitation may lead to unauthorized update, insert, or delete operations on accessible data, as well as the unauthorized reading of certain data. The attack process necessitates interaction from a user, thus increasing the complexity of exploitation. This flaw potentially impacts not only PeopleTools but can also affect other connected products, as it changes the scope of a security breach.

Affected Version(s)

PeopleSoft Enterprise PT PeopleTools 8.59

PeopleSoft Enterprise PT PeopleTools 8.60

References

https://www.oracle.com/security-alerts/cpujan2023.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 18, 2023
Vulnerability Reserved
Dec 17, 2022