Multiple vulnerabilities in Oracle REST Data Services



Published: 2022-07-19
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-34429
CVE-2021-41184
CWE-ID CWE-284
CWE-79
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
Oracle REST Data Services
Universal components / Libraries / Software for developers

Vendor Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU56964

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-34429

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle REST Data Services: before 22.1.1


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?917287

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU58271

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41184

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of values passed to the `of` option. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle REST Data Services: before 22.1.1


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?917287

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###