Main Vulnerability Database SB2022101953

SB2022101953 - Multiple vulnerabilities in Oracle Agile PLM Framework

Published: October 19, 2022 Updated: October 25, 2024

Security Bulletin ID SB2022101953

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2020-36518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

2) Incorrect Regular Expression (CVE-ID: CVE-2022-24729)

The vulnerability allows a remote attacker to perform regular expression denial of service attack.

The vulnerability exists due to improper input validation in CKEditor 4 dialog plugin. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

3) Data Handling (CVE-ID: CVE-2022-29885)

The vulnerability allows a remote attacker to perform DoS attack.

The vulnerability exists due to an error in documentation for the EncryptInterceptor, which incorrectly stated that it enabled Tomcat clustering to run over an untrusted network. A remote attacker can perform a denial of service attack against the exposed EncryptInterceptor.

Remediation

Install update from vendor's website.

References

https://www.oracle.com/security-alerts/cpuoct2022.html?3261