SB2026042225 - Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2025-41254)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in STOMP over WebSocket applications. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
3) Improper input validation (CVE-ID: CVE-2026-34321)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the User Interface component in Oracle Financial Services Analytical Applications Infrastructure. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
4) Information disclosure (CVE-ID: CVE-2021-28168)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. A local attacker can gain unauthorized access to sensitive information on the system.
5) Improper input validation (CVE-ID: CVE-2026-34313)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Platform component in Oracle Financial Services Analytical Applications Infrastructure. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
6) Improper input validation (CVE-ID: CVE-2026-34325)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local authenticated user to compromise the application.
The vulnerability exists due to improper input validation within the User Interface component in Oracle Financial Services Analytical Applications Infrastructure. A local authenticated user can exploit this vulnerability to compromise the application.
7) Improper input validation (CVE-ID: CVE-2026-34314)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Platform component in Oracle Financial Services Analytical Applications Infrastructure. A remote authenticated user can exploit this vulnerability to read and manipulate data.
8) Configuration (CVE-ID: CVE-2025-27820)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The issue may allow a remote attacker to bypass security restrictions.
The issue exists due to an error in PSL validation logic that disables domain checks, affecting cookie management and host name verification. A remote attacker can gain unauthorized access to sensitive information.
9) Improper input validation (CVE-ID: CVE-2026-22010)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Platform component in Oracle Financial Services Analytical Applications Infrastructure. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
10) Improper input validation (CVE-ID: CVE-2026-34310)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Platform component in Oracle Financial Services Analytical Applications Infrastructure. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
Remediation
Install update from vendor's website.