Multiple vulnerabilities in Oracle Agile PLM Framework

Published: 2022-04-25

Risk	Medium
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2021-29425 CVE-2021-41165 CVE-2022-21467 CVE-2021-44832 CVE-2021-42340
CWE-ID	CWE-22 CWE-79 CWE-20 CWE-94 CWE-400
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Oracle Agile PLM Framework Universal components / Libraries / Software for developers
Vendor	Oracle

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU52252

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-29425

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6

CPE2.3

cpe:2.3:a:oracle:oracle_agile_plm_framework:9.3.6:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpuapr2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU58219

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41165

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing HTML comments. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6

CPE2.3

cpe:2.3:a:oracle:oracle_agile_plm_framework:9.3.6:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpuapr2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU62563

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21467

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Attachments component in Oracle Agile PLM. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6

CPE2.3

cpe:2.3:a:oracle:oracle_agile_plm_framework:9.3.6:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpuapr2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Code Injection

EUVDB-ID: #VU59098

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44832

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6

CPE2.3

cpe:2.3:a:oracle:oracle_agile_plm_framework:9.3.6:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpuapr2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Resource exhaustion

EUVDB-ID: #VU57389

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-42340

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing HTTP connections. A remote attacker can initiate multiple HTTP connections with the web server and consume all available memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6

CPE2.3

cpe:2.3:a:oracle:oracle_agile_plm_framework:9.3.6:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpuapr2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?