SB2020042337 - Multiple vulnerabilities in Oracle Knowledge
Published: April 23, 2020 Updated: March 6, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2020-2522)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Information Manager Console component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
2) Improper input validation (CVE-ID: CVE-2020-2553)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Information Manager Console component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Improper input validation (CVE-ID: CVE-2020-2932)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Information Manager Console component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
4) Improper input validation (CVE-ID: CVE-2020-2524)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InQuira Search component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
5) Cross-site scripting (CVE-ID: CVE-2017-14735)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Cross-site scripting (CVE-ID: CVE-2015-9251)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when a cross-domain Ajax request is performed without the dataType option. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary text/javascript responses in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Prototype pollution (CVE-ID: CVE-2019-11358)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
8) Improper input validation (CVE-ID: CVE-2020-2795)
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Information Manager Console component in Oracle Knowledge. A local privileged user can exploit this vulnerability to execute arbitrary code.
9) Infinite loop (CVE-ID: CVE-2018-17197)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to an infinite loop when handling malicious input. A remote attacker can supply a carefully crafted or corrupt sqlite file, trigger and an infinite loop in Apache Tika's SQLite3Parser and cause the service to crash.
10) Improper input validation (CVE-ID: CVE-2015-0254)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Information Manager Console (Apache Standard Taglibs) component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
11) Resource exhaustion (CVE-ID: CVE-2016-3092)
The vulnerability allows a remote attacker to cause denial of service conditions on the target system.The vulnerability exists due to input validation error when processing very long boundary strings within the MultipartStream class in Apache Commons Fileupload. A remote user can cause denial of service conditions by sending specially crafted boundary string and consume excessive CPU resources.
Successful exploitation of this vulnerability may result in denial of service attack.
12) Improper input validation (CVE-ID: CVE-2019-0227)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core (Apache Axis) component in Oracle Communications Design Studio. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
13) XXE attack (CVE-ID: CVE-2015-1832)
The vulnerability allows a remote user to conduct XXE attack.The weakness exists due to XML external entity error. Via vectors involving XmlVTI and the XML datatype context-dependent attackers can view arbitrary files that may lead to denial of service.
Successful exploitation of the vulnerability can result in potentially sensitive information disclosure and denial of service on the vulnerable system.
14) Improper input validation (CVE-ID: CVE-2020-2931)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Web Applications - InfoCenter component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
15) Desereliazation of untrusted data (CVE-ID: CVE-2016-1000031)
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.The weakness exists in DiskFileItem class of the FileUpload library due to deserialization of untrusted data. A remote attacker can execute arbitrary code under the context of the current process.
Successful exploitation of the vulnerability may result in system compromise.
16) Improper input validation (CVE-ID: CVE-2020-2791)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Information Manager Console component in Oracle Knowledge. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Remediation
Install update from vendor's website.