#VU27264 Improper input validation in Oracle Retail Order Broker


Published: 2020-04-23 | Updated: 2020-06-03

Vulnerability identifier: #VU27264

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-5398

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Oracle Retail Order Broker
Other software / Other software solutions

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System Administration (Spring Framework) component in Oracle Retail Order Broker. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle Retail Order Broker: 15.0 - 16.0

External links
http://www.oracle.com/security-alerts/cpuapr2020.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Improper input validation in Oracle Retail Back Office
Improper input validation in Oracle Retail Central Office
Improper input validation in Oracle Retail Point-of-Service
Improper input validation in Oracle Retail Returns Management
Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy
Improper input validation in Siebel Engineering - Installer & Deployment
Multiple vulnerabilities in Oracle Retail Bulk Data Integration
Multiple vulnerabilities in Oracle Application Testing Suite
Multiple vulnerabilities in Enterprise Manager Base Platform
Multiple vulnerabilities in Oracle Insurance Policy Administration J2EE