cnvd - cnvd-2021-38778

CNVD-2021-38778

Vulnerability from cnvd - Published: 2021-06-02

Title

Oracle Installed Base存在未明漏洞

Description

Oracle Installed Base是美国甲骨文（Oracle）公司的一个项目生命周期管理应用。提供企业范围内（内部）生命周期项目管理和跟踪功能。 Oracle Installed Base 12.1.3版本的APIs组件存在安全漏洞。攻击者可利用该漏洞通过HTTP网络访问破坏Oracle Installed Base，对Oracle Installed Base关键数据和所有可访问数据进行未授权访问、创建、删除和修改。

Severity

中

Patch Name

Oracle Installed Base存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpuapr2021.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-2231

Impacted products

Name
Oracle Oracle Installed Base 12.1.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-2231"
    }
  },
  "description": "Oracle Installed Base\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9879\u76ee\u751f\u547d\u5468\u671f\u7ba1\u7406\u5e94\u7528\u3002\u63d0\u4f9b\u4f01\u4e1a\u8303\u56f4\u5185\uff08\u5185\u90e8\uff09\u751f\u547d\u5468\u671f\u9879\u76ee\u7ba1\u7406\u548c\u8ddf\u8e2a\u529f\u80fd\u3002\n\nOracle Installed Base 12.1.3\u7248\u672c\u7684APIs\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fOracle Installed Base\uff0c\u5bf9Oracle Installed Base\u5173\u952e\u6570\u636e\u548c\u6240\u6709\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3001\u521b\u5efa\u3001\u5220\u9664\u548c\u4fee\u6539\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuapr2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-38778",
  "openTime": "2021-06-02",
  "patchDescription": "Oracle Installed Base\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9879\u76ee\u751f\u547d\u5468\u671f\u7ba1\u7406\u5e94\u7528\u3002\u63d0\u4f9b\u4f01\u4e1a\u8303\u56f4\u5185\uff08\u5185\u90e8\uff09\u751f\u547d\u5468\u671f\u9879\u76ee\u7ba1\u7406\u548c\u8ddf\u8e2a\u529f\u80fd\u3002\r\n\r\nOracle Installed Base 12.1.3\u7248\u672c\u7684APIs\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fOracle Installed Base\uff0c\u5bf9Oracle Installed Base\u5173\u952e\u6570\u636e\u548c\u6240\u6709\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3001\u521b\u5efa\u3001\u5220\u9664\u548c\u4fee\u6539\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Installed Base\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Oracle Installed Base 12.1.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-2231",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-22",
  "title": "Oracle Installed Base\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2021-2231 (GCVE-0-2021-2231)

Vulnerability from cvelistv5 – Published: 2021-04-22 21:53 – Updated: 2024-09-26 15:05

Summary

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as unauthorized access to critical data or complete access to all Oracle Installed Base accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as unauthorized access to critical data or complete access to all Oracle Installed Base accessible data.

Assigner

oracle

References

URL

Tags

https://www.oracle.com/security-alerts/cpuapr2021.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Installed Base	Affected: 12.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:38:56.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-2231",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T14:48:57.504064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:05:11.378Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Installed Base",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as unauthorized access to critical data or complete access to all Oracle Installed Base accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as  unauthorized access to critical data or complete access to all Oracle Installed Base accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-22T21:53:53",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2021-2231",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Installed Base",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "12.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as unauthorized access to critical data or complete access to all Oracle Installed Base accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "8.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as  unauthorized access to critical data or complete access to all Oracle Installed Base accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2021-2231",
    "datePublished": "2021-04-22T21:53:53",
    "dateReserved": "2020-12-09T00:00:00",
    "dateUpdated": "2024-09-26T15:05:11.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-38778

CVE-2021-2231 (GCVE-0-2021-2231)

Tags

Sightings

Nomenclature