SB2026042277 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Unified Data Repository
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2025-48795)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Endeca Integration (Apache CXF) component in Oracle Commerce Platform. A remote privileged user can exploit this vulnerability to read and manipulate data.
2) Unsynchronized access to shared data in a multithreaded context (CVE-ID: CVE-2025-14017)
CWE-ID: CWE-567 - Unsynchronized Access to Shared Data in a Multithreaded Context
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when performing multithreaded LDAPS transfers (LDAP over TLS) with libcurl. Changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. For example, disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well, leading to a MitM attacks against other websites.
3) Improper handling of highly compressed data (CVE-ID: CVE-2026-21441)
CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the application does not properly handle highly compressed data when sending HTTP redirect responses. A remote attacker can multiple large requests to the application, consume all available CPU and memory resources and perform a denial of service attack.
4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition.
5) Stack-based buffer overflow (CVE-ID: CVE-2025-13151)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the asn1_expend_octet_string() function. A remote attacker can pass specially crafted certificate to the application, trigger a stack-based buffer overflow and perform a denial of service attack..
6) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)
CWE-ID: CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.
7) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2025-12543)
CWE-ID: CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper input validation when processing HTTP requests. A remote non-authenticated attacker can send a specially crafted HTTP request with an arbitrary Host header that will be accepted by the application.
Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.
Remediation
Install update from vendor's website.