SQL Injection Vulnerability in JD Edwards EnterpriseOne Orchestrator by Oracle
CVE-2023-22050

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Jd Edwards Enterpriseone Orchestrator
Vendor: CVE Published:; 18 July 2023

Summary

A vulnerability exists in the JD Edwards EnterpriseOne Orchestrator component of Oracle's JD Edwards. This flaw allows low-privileged attackers with network access to manipulate the Orchestrator, potentially leading to unauthorized modifications, inserts, or deletions of accessible data. Additionally, attackers might gain unauthorized read access to certain data sets, compromising both the confidentiality and integrity of information within the JD Edwards EnterpriseOne Orchestrator, specifically in versions prior to 9.2.7.4.

Affected Version(s)

JD Edwards EnterpriseOne Orchestrator * < 9.2.7.4

References

https://www.oracle.com/security-alerts/cpujul2023.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2023
Vulnerability Reserved
Dec 17, 2022