cnvd - cnvd-2022-54637

CNVD-2022-54637

Vulnerability from cnvd - Published: 2022-07-29

Title

Oracle Enterprise Manager Base Platform输入验证错误漏洞

Description

Oracle Enterprise Manager Base Platform是美国甲骨文（Oracle）公司的一套本地管理平台。该平台主要用于管理Oracle产品部署。 Oracle Enterprise Manager Base Platform (component： Enterprise Manager Install)13.4.0.0版本至13.5.0.0版本存在输入验证错误漏洞，未经身份验证的攻击者利用该漏洞可通过HTTP进行网络访问，从而导致对Enterprise Manager Base Platform可访问数据的更新、插入或删除。

Severity

高

Patch Name

Oracle Enterprise Manager Base Platform输入验证错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.oracle.com/security-alerts/cpujul2022.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-21516

Impacted products

Name
['Oracle Oracle Enterprise Manager Base Platform 13.4.0.0', 'Oracle Oracle Enterprise Manager Base Platform 13.5.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-21516",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-21516"
    }
  },
  "description": "Oracle Enterprise Manager Base Platform\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u672c\u5730\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u7ba1\u7406Oracle\u4ea7\u54c1\u90e8\u7f72\u3002\n\nOracle Enterprise Manager Base Platform (component\uff1a Enterprise Manager Install)13.4.0.0\u7248\u672c\u81f313.5.0.0\u7248\u672c\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u901a\u8fc7HTTP\u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u5bf9Enterprise Manager Base Platform\u53ef\u8bbf\u95ee\u6570\u636e\u7684\u66f4\u65b0\u3001\u63d2\u5165\u6216\u5220\u9664\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.oracle.com/security-alerts/cpujul2022.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-54637",
  "openTime": "2022-07-29",
  "patchDescription": "Oracle Enterprise Manager Base Platform\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u672c\u5730\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u7ba1\u7406Oracle\u4ea7\u54c1\u90e8\u7f72\u3002\r\n\r\nOracle Enterprise Manager Base Platform (component\uff1a Enterprise Manager Install)13.4.0.0\u7248\u672c\u81f313.5.0.0\u7248\u672c\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u901a\u8fc7HTTP\u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u5bf9Enterprise Manager Base Platform\u53ef\u8bbf\u95ee\u6570\u636e\u7684\u66f4\u65b0\u3001\u63d2\u5165\u6216\u5220\u9664\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Enterprise Manager Base Platform\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle Oracle Enterprise Manager Base Platform 13.4.0.0",
      "Oracle Oracle Enterprise Manager Base Platform 13.5.0.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-21516",
  "serverity": "\u9ad8",
  "submitTime": "2022-07-21",
  "title": "Oracle Enterprise Manager Base Platform\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-21516 (GCVE-0-2022-21516)

Vulnerability from cvelistv5 – Published: 2022-07-19 21:06 – Updated: 2024-09-24 20:03

Summary

Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Install). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform.

Assigner

oracle

References

URL

Tags

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Enterprise Manager Base Platform	Affected: 13.4.0.0 Affected: 13.5.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:38.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T13:53:46.645686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T20:03:11.545Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Enterprise Manager Base Platform",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "13.4.0.0"
            },
            {
              "status": "affected",
              "version": "13.5.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Install). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as  unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-19T21:06:52",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2022-21516",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Enterprise Manager Base Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "13.4.0.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "13.5.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Install). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "7.3",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as  unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2022-21516",
    "datePublished": "2022-07-19T21:06:52",
    "dateReserved": "2021-11-15T00:00:00",
    "dateUpdated": "2024-09-24T20:03:11.545Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-54637

CVE-2022-21516 (GCVE-0-2022-21516)

Tags

Sightings

Nomenclature