Web Runtime Security Flaw in Oracle JD Edwards EnterpriseOne Tools
CVE-2025-21586

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Jd Edwards Enterpriseone Tools
Vendor: CVE Published:; 15 April 2025

Summary

A security vulnerability has been identified in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools that allows a low-privileged attacker with network access via HTTP to compromise the system. This issue affects multiple supported versions, specifically from 9.2.0.0 to 9.2.9.2. Exploitation of the vulnerability necessitates user interaction from a third party, and although it primarily resides within JD Edwards EnterpriseOne Tools, successful attacks could potentially impact connected products. Attackers may gain unauthorized update, insert, or delete capabilities, as well as unauthorized reading access to sensitive data within JD Edwards EnterpriseOne Tools.

Affected Version(s)

JD Edwards EnterpriseOne Tools 9.2.0.0 <= 9.2.9.2

References

https://www.oracle.com/security-alerts/cpuapr2025.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Dec 24, 2024