Multiple vulnerabilities in Oracle Agile Engineering Data Management



Published: 2022-07-20 | Updated: 2022-09-22
Risk Medium
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2021-29425
CVE-2020-17521
CVE-2021-36374
CVE-2022-23437
CVE-2019-10086
CVE-2021-42340
CVE-2020-11987
CVE-2020-10683
CWE-ID CWE-22
CWE-276
CWE-400
CWE-835
CWE-693
CWE-918
CWE-749
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Oracle Agile Engineering Data Management
Other software / Other software solutions

Vendor Oracle

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU52252

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-29425

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Incorrect default permissions

EUVDB-ID: #VU48792

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-17521

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for temporary files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Resource exhaustion

EUVDB-ID: #VU54856

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-36374

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Infinite loop

EUVDB-ID: #VU59965

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-23437

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing XML documents. A remote attacker can supply a specially crafted XML document, consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Protection mechanism failure

EUVDB-ID: #VU20844

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10086

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Resource exhaustion

EUVDB-ID: #VU57389

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-42340

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing HTTP connections. A remote attacker can initiate multiple HTTP connections with the web server and consume all available memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU52501

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-11987

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Exposed dangerous method or function

EUVDB-ID: #VU28238

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-10683

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to abuse implemented functionality.

The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile Engineering Data Management: 6.2.1.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3252

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###