Arbitrary file disclosure in Oracle Agile PLM Framework



Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-21287
CWE-ID CWE-862
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Oracle Agile PLM Framework
Universal components / Libraries / Software for developers

Vendor Oracle

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Missing Authorization

EUVDB-ID: #VU100691

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2024-21287

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exits due to missing authorization within the Software Development Kit, Process Extension component. A remote non-authenticated attacker can send a specially crafted HTTP request and view arbitrary file on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle Agile PLM Framework: 9.3.1.1 - 9.3.6

CPE2.3 External links

http://www.oracle.com/security-alerts/alert-cve-2024-21287.html
http://www.oracle.com/security-alerts/cve-2024-21287verbose.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###