SB2025071648 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025071648

SB2025071648 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy

Published: July 16, 2025 Updated: August 29, 2025

Security Bulletin ID SB2025071648
Severity
Critical
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-31721)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper permission check in an HTTP endpoint. A remote user can copy an agent to gain access to encrypted secrets in its configuration.


2) Resource exhaustion (CVE-ID: CVE-2024-12133)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources processing a large number of SEQUENCE OF or SET OF elements in a certificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Improper authentication (CVE-ID: CVE-2024-12797)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.

Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.


4) OS Command Injection (CVE-ID: CVE-2024-9287)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the venv module when creating a virtual environment. A local user can pass specially crafted strings to the application and execute arbitrary OS commands on the target system.


5) Out-of-bounds write (CVE-ID: CVE-2025-27363)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can pass a specially crafted font to the application that is using an affected version of the library, trigger an out-of-bounds write and execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References