CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21849
https://notcve.org/view.php?id=CVE-2023-21849
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). • https://www.oracle.com/security-alerts/cpujan2023.html • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21847
https://notcve.org/view.php?id=CVE-2023-21847
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Download). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Web Applications Desktop Integrator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Web Applications Desktop Integrator accessible data as well as unauthorized read access to a subset of Oracle Web Applications Desktop Integrator accessible data. • https://www.oracle.com/security-alerts/cpujan2023.html •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 5CVE-2022-21587 – Oracle E-Business Suite Unspecified Vulnerability
https://notcve.org/view.php?id=CVE-2022-21587
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • https://github.com/hieuminhnv/CVE-2022-21587-POC https://github.com/rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit https://github.com/sahabrifki/CVE-2022-21587-Oracle-EBS- http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html https://www.oracle.com/security-alerts/cpuoct2022.html https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce https:& • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 94%CPEs: 2EXPL: 1CVE-2022-21500
https://notcve.org/view.php?id=CVE-2022-21500
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. • https://github.com/Cappricio-Securities/CVE-2022-21500 https://www.oracle.com/security-alerts/alert-cve-2022-21500.html https://www.oracle.com/security-alerts/cpujul2022.html •
CVSS: 9.0EPSS: 0%CPEs: 39EXPL: 0CVE-2022-23307 – A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
https://notcve.org/view.php?id=CVE-2022-23307
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. CVE-2020-9493 identificó un problema de deserialización presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run. • https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh https://logging.apache.org/log4j/1.2/index.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-23307 https://bugzilla.redhat.com/show_bug.cgi?id=2041967 • CWE-502: Deserialization of Untrusted Data •