Unauthorized Access to Sensitive Data via HTTP
CVE-2024-21150

6.1MEDIUM

Key Information:

Vendor: Oracle
Status: Jd Edwards Enterpriseone Tools
Vendor: CVE Published:; 16 July 2024

Summary

A significant vulnerability exists within the JD Edwards EnterpriseOne Tools product, specifically affecting the Web Runtime component. This issue allows an unauthenticated attacker with network access through HTTP to compromise the functionality of JD Edwards EnterpriseOne Tools. Successful exploitation requires human interaction from a third party, escalating the potential risk of unauthorized access. While the flaw is specifically within the JD Edwards EnterpriseOne Tools, the implications can extend to other intertwined products, suggesting a broader impact. The vulnerability can lead to unauthorized updates, inserts, or deletions of accessible data, as well as unauthorized reading of certain data sets, compromising both confidentiality and integrity of sensitive information.

Affected Version(s)

JD Edwards EnterpriseOne Tools * < 9.2.8.2

References

https://www.oracle.com/security-alerts/cpujul2024.html

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 16, 2024