Listen to this Post
How the mentioned CVE works:
The vulnerability resides within the Runtime UI component of Oracle Configurator. An unauthenticated attacker can send a specially crafted HTTP request over the network to a vulnerable Oracle E-Business Suite instance. The component does not correctly validate or authorize this request, allowing the attacker to bypass intended security controls. This flaw enables direct access to database queries or application functions that return sensitive configuration data. As no authentication is required and the attack has low complexity, it is easily exploitable. The successful exploitation results in a complete confidentiality breach, granting the attacker unauthorized access to all critical data managed by the Oracle Configurator module.
Platform: Oracle E-Business Suite
Version: 12.2.3-12.2.14
Vulnerability : Unauthenticated Data Access
Severity: High
date: 2024-04-16
Prediction: 2024-10-31
What Undercode Say:
`curl -X GET http://
`nmap -p 80,443 –script http-vuln-cve2024-21000 `
`grep -r “cfgui” /oa_directories/`
How Exploit:
Send crafted HTTP request.
Bypass authentication checks.
Exfiltrate sensitive configuration data.
Protection from this CVE
Apply Oracle Critical Patch Update.
Implement network access controls.
Use Web Application Firewall.
Impact:
Unauthorized data access.
Complete confidentiality loss.
Critical information disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
