Multiple vulnerabilities in Oracle Agile PLM Framework



Published: 2022-10-19
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-36518
CVE-2022-24729
CVE-2022-29885
CWE-ID CWE-787
CWE-185
CWE-19
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
Oracle Agile PLM Framework
Universal components / Libraries / Software for developers

Vendor Oracle

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Incorrect Regular Expression

EUVDB-ID: #VU61427

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24729

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform regular expression denial of service attack.

The vulnerability exists due to improper input validation in CKEditor 4 dialog plugin. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Data Handling

EUVDB-ID: #VU63225

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-29885

CWE-ID: CWE-19 - Data Handling

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform DoS attack.

The vulnerability exists due to an error in documentation for the EncryptInterceptor, which incorrectly stated that it enabled Tomcat clustering to run over an untrusted network. A remote attacker can perform a denial of service attack against the exposed EncryptInterceptor.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.6


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2022.html?3261

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###