// For flags

CVE-2022-21500

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. <br> <br>Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerabilidad en Oracle E-Business Suite (componente: Administrar Proxies). La versión compatible que se ve afectada es la 12.2. La vulnerabilidad fácilmente explotable permite que un atacante no autenticado con acceso a la red a través de HTTP comprometa Oracle E-Business Suite. Los ataques exitosos de esta vulnerabilidad pueden dar como resultado el acceso no autorizado a datos críticos o el acceso completo a todos los datos accesibles de Oracle E-Business Suite. Nota: Se requiere autenticación para un ataque exitoso, sin embargo, el usuario puede registrarse automáticamente. <br> <br>Esta vulnerabilidad no afecta a Oracle E-Business Suite 12.1. Los clientes deben consultar el documento de disponibilidad de parches para obtener más información. CVSS 3.1 Puntaje base 7.5 (Impactos de confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2021-11-15 CVE Reserved
  • 2022-05-19 CVE Published
  • 2024-06-21 First Exploit
  • 2024-09-24 CVE Updated
  • 2024-10-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
E-business Suite
Search vendor "Oracle" for product "E-business Suite"
12.2
Search vendor "Oracle" for product "E-business Suite" and version "12.2"
-
Affected
Oracle
Search vendor "Oracle"
User Management
Search vendor "Oracle" for product "User Management"
>= 12.2.4 <= 12.2.11
Search vendor "Oracle" for product "User Management" and version " >= 12.2.4 <= 12.2.11"
-
Affected