Unauthorized Access to Sensitive Data via HTTP
CVE-2024-20929

6.5MEDIUM

Key Information:

Vendor: Oracle
Status: Application Object Library
Vendor: CVE Published:; 17 February 2024

Summary

A vulnerability exists in the Oracle Application Object Library component of the Oracle E-Business Suite, specifically concerning database privileges. It affects versions 12.2.3 through 12.2.13. An unauthenticated attacker can exploit this vulnerability over HTTP, enabling them to perform unauthorized actions such as updates, inserts, or deletes on accessible data within the Application Object Library. Additionally, attackers may gain unauthorized read access to specific subsets of data. The impact includes potential compromises to data integrity and confidentiality within affected systems.

Affected Version(s)

Application Object Library 12.2.3 <= 12.2.13

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Dec 7, 2023