cnvd - cnvd-2021-08011

CNVD-2021-08011

Vulnerability from cnvd - Published: 2021-02-01

Title

Oracle PeopleSoft Enterprise FIN Payables信息泄露漏洞

Description

Oracle PeopleSoft Products是美国甲骨文（Oracle）公司的一套企业人力资本管理解决方案。该产品提供了人力资本管理、财务管理、供应商关系管理等功能。PeopleSoft Enterprise FIN Project Costing是其中的一个项目成本核算组件。 Oracle PeopleSoft的PeopleSoft Enterprise FIN Payables 9.2的Financial Sanctions组件存在信息泄露漏洞。攻击者可通过HTTP网络访问破坏PeopleSoft Enterprise FIN Payables，并对PeopleSoft Enterprise FIN Payables关键数据和所有PeopleSoft Enterprise FIN Payables可访问数据进行未授权访问。

Severity

中

Patch Name

Oracle PeopleSoft Enterprise FIN Payables信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpujan2021.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-2044

Impacted products

Name
Oracle PeopleSoft Enterprise FIN Payables 9.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-2044",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-2044"
    }
  },
  "description": "Oracle PeopleSoft Products\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u4eba\u529b\u8d44\u672c\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u4eba\u529b\u8d44\u672c\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u4f9b\u5e94\u5546\u5173\u7cfb\u7ba1\u7406\u7b49\u529f\u80fd\u3002PeopleSoft Enterprise FIN Project Costing\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u9879\u76ee\u6210\u672c\u6838\u7b97\u7ec4\u4ef6\u3002\n\nOracle PeopleSoft\u7684PeopleSoft Enterprise FIN Payables 9.2\u7684Financial Sanctions\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fPeopleSoft Enterprise FIN Payables\uff0c\u5e76\u5bf9PeopleSoft Enterprise FIN Payables\u5173\u952e\u6570\u636e\u548c\u6240\u6709PeopleSoft Enterprise FIN Payables\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpujan2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-08011",
  "openTime": "2021-02-01",
  "patchDescription": "Oracle PeopleSoft Products\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u4eba\u529b\u8d44\u672c\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u4eba\u529b\u8d44\u672c\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u3001\u4f9b\u5e94\u5546\u5173\u7cfb\u7ba1\u7406\u7b49\u529f\u80fd\u3002PeopleSoft Enterprise FIN Project Costing\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u9879\u76ee\u6210\u672c\u6838\u7b97\u7ec4\u4ef6\u3002\r\n\r\nOracle PeopleSoft\u7684PeopleSoft Enterprise FIN Payables 9.2\u7684Financial Sanctions\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fPeopleSoft Enterprise FIN Payables\uff0c\u5e76\u5bf9PeopleSoft Enterprise FIN Payables\u5173\u952e\u6570\u636e\u548c\u6240\u6709PeopleSoft Enterprise FIN Payables\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle PeopleSoft Enterprise FIN Payables\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle PeopleSoft Enterprise FIN Payables 9.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-2044",
  "serverity": "\u4e2d",
  "submitTime": "2021-01-25",
  "title": "Oracle PeopleSoft Enterprise FIN Payables\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2021-2044 (GCVE-0-2021-2044)

Vulnerability from cvelistv5 – Published: 2021-01-20 14:50 – Updated: 2024-09-26 18:36

Summary

Vulnerability in the PeopleSoft Enterprise FIN Payables product of Oracle PeopleSoft (component: Financial Sanctions). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data.

Assigner

oracle

References

URL

Tags

https://www.oracle.com/security-alerts/cpujan2021.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	PeopleSoft Enterprise FIN Payables	Affected: 9.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:32:01.713Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-2044",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T17:54:58.915411Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T18:36:17.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PeopleSoft Enterprise FIN Payables",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the PeopleSoft Enterprise FIN Payables product of Oracle PeopleSoft (component: Financial Sanctions). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:50:04",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2021-2044",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PeopleSoft Enterprise FIN Payables",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "9.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the PeopleSoft Enterprise FIN Payables product of Oracle PeopleSoft (component: Financial Sanctions). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "6.5",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Payables.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Payables accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2021-2044",
    "datePublished": "2021-01-20T14:50:04",
    "dateReserved": "2020-12-09T00:00:00",
    "dateUpdated": "2024-09-26T18:36:17.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-08011

CVE-2021-2044 (GCVE-0-2021-2044)

Tags

Sightings

Nomenclature