// For flags

CVE-2019-2904

Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Una vulnerabilidad en el producto Oracle JDeveloper and ADF de Oracle Fusion Middleware (componente: ADF Faces). Las versiones compatibles que están afectadas son 11.1.1.9.0, 12.1.3.0.0 y 12.2.1.3.0. Una vulnerabilidad fácilmente explotable permite a un atacante no autenticado con acceso a la red por medio de HTTP comprometer a Oracle JDeveloper and ADF. Los ataques con éxito de esta vulnerabilidad pueden resultar en la toma de control de Oracle JDeveloper and ADF. CVSS 3.0 Puntuación Base 9.8 (Impactos de la Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle ADF Faces. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Remote Regions component. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the web server.

*Credits: tint0 of Viettel Cyber Security
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2018-12-14 CVE Reserved
  • 2019-10-16 CVE Published
  • 2024-10-15 CVE Updated
  • 2024-10-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
Application Testing Suite
Search vendor "Oracle" for product "Application Testing Suite"
12.5.0.3
Search vendor "Oracle" for product "Application Testing Suite" and version "12.5.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Application Testing Suite
Search vendor "Oracle" for product "Application Testing Suite"
13.1.0.1
Search vendor "Oracle" for product "Application Testing Suite" and version "13.1.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Application Testing Suite
Search vendor "Oracle" for product "Application Testing Suite"
13.2.0.1
Search vendor "Oracle" for product "Application Testing Suite" and version "13.2.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Application Testing Suite
Search vendor "Oracle" for product "Application Testing Suite"
13.3.0.1
Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Collections
Search vendor "Oracle" for product "Banking Enterprise Collections"
2.7.0
Search vendor "Oracle" for product "Banking Enterprise Collections" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Collections
Search vendor "Oracle" for product "Banking Enterprise Collections"
2.8.0
Search vendor "Oracle" for product "Banking Enterprise Collections" and version "2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Originations
Search vendor "Oracle" for product "Banking Enterprise Originations"
2.7.0
Search vendor "Oracle" for product "Banking Enterprise Originations" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Originations
Search vendor "Oracle" for product "Banking Enterprise Originations"
2.8.0
Search vendor "Oracle" for product "Banking Enterprise Originations" and version "2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Product Manufacturing
Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing"
2.7.0
Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Product Manufacturing
Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing"
2.8.0
Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.4.0
Search vendor "Oracle" for product "Banking Platform" and version "2.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.4.1
Search vendor "Oracle" for product "Banking Platform" and version "2.4.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.5.0
Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.0
Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.1
Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.2
Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.7.0
Search vendor "Oracle" for product "Banking Platform" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.7.1
Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.9.0
Search vendor "Oracle" for product "Banking Platform" and version "2.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Clinical
Search vendor "Oracle" for product "Clinical"
5.2
Search vendor "Oracle" for product "Clinical" and version "5.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Signaling Router
Search vendor "Oracle" for product "Communications Diameter Signaling Router"
>= 8.0.0.0 <= 8.4.0.5
Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.4.0.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Network Integrity
Search vendor "Oracle" for product "Communications Network Integrity"
>= 7.3.2 <= 7.3.6
Search vendor "Oracle" for product "Communications Network Integrity" and version " >= 7.3.2 <= 7.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Communications Service Broker
Search vendor "Oracle" for product "Communications Service Broker"
6.0
Search vendor "Oracle" for product "Communications Service Broker" and version "6.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Service Broker
Search vendor "Oracle" for product "Communications Service Broker"
6.1
Search vendor "Oracle" for product "Communications Service Broker" and version "6.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Services Gatekeeper
Search vendor "Oracle" for product "Communications Services Gatekeeper"
6.0
Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Services Gatekeeper
Search vendor "Oracle" for product "Communications Services Gatekeeper"
6.1
Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.1"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Repository
Search vendor "Oracle" for product "Enterprise Repository"
11.1.1.7.0
Search vendor "Oracle" for product "Enterprise Repository" and version "11.1.1.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Lending And Leasing
Search vendor "Oracle" for product "Financial Services Lending And Leasing"
>= 14.1.0 <= 14.2.0
Search vendor "Oracle" for product "Financial Services Lending And Leasing" and version " >= 14.1.0 <= 14.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Lending And Leasing
Search vendor "Oracle" for product "Financial Services Lending And Leasing"
12.5.0
Search vendor "Oracle" for product "Financial Services Lending And Leasing" and version "12.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.6
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.6"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.7
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.8
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Private Banking
Search vendor "Oracle" for product "Flexcube Private Banking"
12.0.0
Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Private Banking
Search vendor "Oracle" for product "Flexcube Private Banking"
12.1.0
Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Data Management Workbench
Search vendor "Oracle" for product "Health Sciences Data Management Workbench"
2.4
Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.4"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Data Management Workbench
Search vendor "Oracle" for product "Health Sciences Data Management Workbench"
2.5
Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.5"
-
Affected
Oracle
Search vendor "Oracle"
Hyperion Planning
Search vendor "Oracle" for product "Hyperion Planning"
11.1.2.4
Search vendor "Oracle" for product "Hyperion Planning" and version "11.1.2.4"
-
Affected
Oracle
Search vendor "Oracle"
Rapid Planning
Search vendor "Oracle" for product "Rapid Planning"
12.1.3
Search vendor "Oracle" for product "Rapid Planning" and version "12.1.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Assortment Planning
Search vendor "Oracle" for product "Retail Assortment Planning"
15.0.3.0
Search vendor "Oracle" for product "Retail Assortment Planning" and version "15.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Assortment Planning
Search vendor "Oracle" for product "Retail Assortment Planning"
16.0.3.0
Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Clearance Optimization Engine
Search vendor "Oracle" for product "Retail Clearance Optimization Engine"
13.4
Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "13.4"
-
Affected
Oracle
Search vendor "Oracle"
Retail Clearance Optimization Engine
Search vendor "Oracle" for product "Retail Clearance Optimization Engine"
14.0.3
Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "14.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Clearance Optimization Engine
Search vendor "Oracle" for product "Retail Clearance Optimization Engine"
14.0.5
Search vendor "Oracle" for product "Retail Clearance Optimization Engine" and version "14.0.5"
-
Affected
Oracle
Search vendor "Oracle"
Retail Markdown Optimization
Search vendor "Oracle" for product "Retail Markdown Optimization"
13.4
Search vendor "Oracle" for product "Retail Markdown Optimization" and version "13.4"
-
Affected
Oracle
Search vendor "Oracle"
Retail Sales Audit
Search vendor "Oracle" for product "Retail Sales Audit"
15.0.3
Search vendor "Oracle" for product "Retail Sales Audit" and version "15.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Sales Audit
Search vendor "Oracle" for product "Retail Sales Audit"
16.0.2
Search vendor "Oracle" for product "Retail Sales Audit" and version "16.0.2"
-
Affected