Unauthorized Data Access in Oracle E-Business Suite Component
CVE-2024-21031

6.1MEDIUM

Key Information:

Vendor: Oracle
Status: Complex Maintenance, Repair, And Overhaul
Vendor: CVE Published:; 16 April 2024

Summary

A vulnerability in Oracle Complex Maintenance, Repair, and Overhaul within the Oracle E-Business Suite allows an unauthenticated attacker with network access to exploit the system. The attacker can compromise sensitive data without needing direct interaction, requiring only that a user is misled into interacting with a crafted request. Successful exploitation may lead to unauthorized update, insert, or delete access to key data, along with unauthorized read access to some data subsets, potentially impacting additional products due to the scope change. Users of the affected versions are strongly advised to apply the necessary updates to mitigate the associated risks.

Affected Version(s)

Complex Maintenance, Repair, and Overhaul 12.2.3 <= 12.2.13

References

https://www.oracle.com/security-alerts/cpuapr2024.html

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 16, 2024