#VU52385 Improper input validation in Oracle REST Data Services


Published: 2021-08-18 | Updated: 2023-11-16

Vulnerability identifier: #VU52385

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-27223

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Oracle REST Data Services
Universal components / Libraries / Software for developers

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle REST Data Services: 20.2.1

External links
http://www.oracle.com/security-alerts/cpuapr2021.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in HPE Unified Mediation Bus (UMB)
Multiple vulnerabilities in IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit
Multiple vulnerabilities in IBM Cognos Command Center
Improper input validation in IBM Process Mining
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in Dell Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in Dell Security Management Server
Multiple vulnerabilities in Red Hat Integration Camel-K
Multiple vulnerabilities in Red Hat AMQ Broker
Multiple vulnerabilities in Red Hat Migration Toolkit for Containers