CVE-2019-2904
Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Una vulnerabilidad en el producto Oracle JDeveloper and ADF de Oracle Fusion Middleware (componente: ADF Faces). Las versiones compatibles que están afectadas son 11.1.1.9.0, 12.1.3.0.0 y 12.2.1.3.0. Una vulnerabilidad fácilmente explotable permite a un atacante no autenticado con acceso a la red por medio de HTTP comprometer a Oracle JDeveloper and ADF. Los ataques con éxito de esta vulnerabilidad pueden resultar en la toma de control de Oracle JDeveloper and ADF. CVSS 3.0 Puntuación Base 9.8 (Impactos de la Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle ADF Faces. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Remote Regions component. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the web server.
*Credits:
tint0 of Viettel Cyber Security
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-12-14 CVE Reserved
- 2019-10-16 CVE Published
- 2024-10-15 CVE Updated
- 2024-10-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-19-1024 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html | 2021-05-18 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2020.html | 2021-05-18 | |
| https://www.oracle.com/security-alerts/cpuapr2021.html | 2021-05-18 | |
| https://www.oracle.com/security-alerts/cpujan2020.html | 2021-05-18 | |
| https://www.oracle.com/security-alerts/cpujul2020.html | 2021-05-18 | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | 2021-05-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 12.5.0.3 Search vendor "Oracle" for product "Application Testing Suite" and version "12.5.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.1.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.1.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.2.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.2.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Collections Search vendor "Oracle" for product "Banking Enterprise Collections" | 2.7.0 Search vendor "Oracle" for product "Banking Enterprise Collections" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Collections Search vendor "Oracle" for product "Banking Enterprise Collections" | 2.8.0 Search vendor "Oracle" for product "Banking Enterprise Collections" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Originations Search vendor "Oracle" for product "Banking Enterprise Originations" | 2.7.0 Search vendor "Oracle" for product "Banking Enterprise Originations" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Originations Search vendor "Oracle" for product "Banking Enterprise Originations" | 2.8.0 Search vendor "Oracle" for product "Banking Enterprise Originations" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Product Manufacturing Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" | 2.7.0 Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Product Manufacturing Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" | 2.8.0 Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.4.0 Search vendor "Oracle" for product "Banking Platform" and version "2.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.4.1 Search vendor "Oracle" for product "Banking Platform" and version "2.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.5.0 Search vendor "Oracle" for product "Banking Platform" and version "2.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.0 Search vendor "Oracle" for product "Banking Platform" and version "2.6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.1 Search vendor "Oracle" for product "Banking Platform" and version "2.6.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Clinical Search vendor "Oracle" for product "Clinical" | 5.2 Search vendor "Oracle" for product "Clinical" and version "5.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0.0 <= 8.4.0.5 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.4.0.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity" | >= 7.3.2 <= 7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version " >= 7.3.2 <= 7.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Service Broker Search vendor "Oracle" for product "Communications Service Broker" | 6.0 Search vendor "Oracle" for product "Communications Service Broker" and version "6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Service Broker Search vendor "Oracle" for product "Communications Service Broker" | 6.1 Search vendor "Oracle" for product "Communications Service Broker" and version "6.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 6.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 6.1 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Repository Search vendor "Oracle" for product "Enterprise Repository" | 11.1.1.7.0 Search vendor "Oracle" for product "Enterprise Repository" and version "11.1.1.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Lending And Leasing Search vendor "Oracle" for product "Financial Services Lending And Leasing" | >= 14.1.0 <= 14.2.0 Search vendor "Oracle" for product "Financial Services Lending And Leasing" and version " >= 14.1.0 <= 14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Lending And Leasing Search vendor "Oracle" for product "Financial Services Lending And Leasing" | 12.5.0 Search vendor "Oracle" for product "Financial Services Lending And Leasing" and version "12.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.6 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.8 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench" | 2.4 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench" | 2.5 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Planning Search vendor "Oracle" for product "Hyperion Planning" | 11.1.2.4 Search vendor "Oracle" for product "Hyperion Planning" and version "11.1.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rapid Planning Search vendor "Oracle" for product "Rapid Planning" | 12.1.3 Search vendor "Oracle" for product "Rapid Planning" and version "12.1.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning" | 15.0.3.0 Search vendor "Oracle" for product "Retail Assortment Planning" and version "15.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning" | 16.0.3.0 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Clearance Optimization Engine Search vendor "Oracle" for product "Retail Clearance Optimization Engine" | 13.4 Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "13.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Clearance Optimization Engine Search vendor "Oracle" for product "Retail Clearance Optimization Engine" | 14.0.3 Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "14.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Clearance Optimization Engine Search vendor "Oracle" for product "Retail Clearance Optimization Engine" | 14.0.5 Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "14.0.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Markdown Optimization Search vendor "Oracle" for product "Retail Markdown Optimization" | 13.4 Search vendor "Oracle" for product "Retail Markdown Optimization" and version "13.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Sales Audit Search vendor "Oracle" for product "Retail Sales Audit" | 15.0.3 Search vendor "Oracle" for product "Retail Sales Audit" and version "15.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Sales Audit Search vendor "Oracle" for product "Retail Sales Audit" | 16.0.2 Search vendor "Oracle" for product "Retail Sales Audit" and version "16.0.2" | - |
Affected
| ||||||