Unauthenticated HTTP Vulnerability in Oracle E-Business Suite's Maintenance Product
CVE-2024-21026

7.1HIGH

Key Information:

Vendor: Oracle
Status: Complex Maintenance, Repair, And Overhaul
Vendor: CVE Published:; 16 April 2024

What is CVE-2024-21026?

An unpatched vulnerability in Oracle's Complex Maintenance, Repair, and Overhaul component allows unauthenticated attackers to exploit the system through HTTP. Attackers can gain unauthorized access to data, permitting updates, inserts, or deletions without detection. Successful exploitation necessitates human interaction from a user, potentially leading to significant data breaches across other interconnected applications within the Oracle E-Business Suite.

Affected Version(s)

Complex Maintenance, Repair, and Overhaul 12.2.3 <= 12.2.13

References

https://www.oracle.com/security-alerts/cpuapr2024.html

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2024