Multiple vulnerabilities in Oracle Communications Unified Inventory Management
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-31141 CVE-2025-48734 |
| CWE-ID | CWE-200 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Communications Unified Inventory Management Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU100780
Risk: Medium
CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-31141
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way Apache Kafka Clients handles custom configurations. A remote user with access to REST API can read arbitrary files and variables on the system and escalate their privileges filesystem/environment access.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Unified Inventory Management: 7.5.1 - 7.8.0
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_inventory:7.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_inventory:7.7.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2025.html?504206
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU111165
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-48734
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Unified Inventory Management: 7.4.0 - 7.8.0
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_inventory:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_inventory:7.4.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2025.html?504206
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
