SB2020090140 - Multiple vulnerabilities in Fuse 6
Published: September 1, 2020 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-9827)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request via the initial /proxy/ substring of a URI and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
2) Protection mechanism failure (CVE-ID: CVE-2019-10086)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.
3) Improper input validation (CVE-ID: CVE-2020-11994)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security Subsystem (Apache Camel) component in Oracle Enterprise Repository. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
Remediation
Install update from vendor's website.