Sploit.io - Search

Product: E-Business Suite Technology Stack, version: >= 12.2.3, <= 12.2.13

CVE-2024-20990

Severity: MEDIUM

Description: Vulnerability in the Oracle Applications Technology product of Oracle E-Business Suite (component: Templates). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Applications Technology accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS Score: 5.3

Priority

D

CISA Data

EPSS Data

  • EPSS: 0.000430000
  • Percentile: 0.115270000
  • Date: 2025-01-05

ExploitDB

No data available.

HackerOne Data

  • Rank: 7435
  • Reports submitted count: 0
  • Unknown: 0
  • None: 0
  • Low: 0
  • Medium: 0
  • High: 0
  • Critical: 0

GitHub PoCs

    Nuclei Templates

    No data available.

    PacketStorm

    View PacketStorm Entry

    VulnCheck Data

    Affected Products:

    • Oracle Corporation E-Business Suite Technology Stack - Versions: 12.2.3

    References:

    Risk Assessment

    1. Risk Assessment
    The vulnerability identified as CVE-2024-20990 is a medium-severity issue with a CVSS base score of 5.3. It affects Oracle Applications Technology within the Oracle E-Business Suite, specifically the Templates component. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation could result in unauthorized read access to a subset of Oracle Applications Technology data, impacting confidentiality. The attack complexity is low, and no user interaction or privileges are required, making it relatively straightforward for attackers to exploit.

    The business impact of this vulnerability is primarily related to data confidentiality. Unauthorized access to sensitive data could lead to reputational damage, regulatory non-compliance, and potential financial losses. However, the vulnerability does not affect data integrity or system availability, which limits its overall severity. The likelihood of exploitation is moderate, given the low complexity and the absence of authentication requirements. Organizations using affected versions of Oracle E-Business Suite Technology Stack (12.2.3 to 12.2.13) should prioritize addressing this issue to mitigate potential risks.

    2. Potential Attack Scenarios
    An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected Oracle Applications Technology component. Since no authentication is required, the attacker only needs network access to the target system. The attack process would involve scanning for vulnerable instances of Oracle E-Business Suite, identifying the specific endpoint associated with the Templates component, and sending malicious requests to extract sensitive data.

    The potential outcome of this attack is the unauthorized disclosure of sensitive information stored within Oracle Applications Technology. For example, an attacker could gain access to proprietary business data, customer information, or internal system configurations. While the attacker cannot modify or delete data, the exposure of confidential information could still have significant consequences for the affected organization, including regulatory penalties and loss of customer trust.

    3. Mitigation Recommendations
    The primary mitigation for this vulnerability is to apply the relevant patches provided by Oracle. Organizations should refer to the Oracle Security Alert Advisory (https://www.oracle.com/security-alerts/cpuapr2024.html) for detailed patch information and instructions. Immediate action is recommended to update affected systems to a version beyond 12.2.13, as this vulnerability is present in versions 12.2.3 through 12.2.13.

    In addition to patching, organizations should implement network-level controls to restrict access to the affected systems. This includes using firewalls to limit HTTP traffic to trusted sources and monitoring network traffic for unusual patterns that may indicate exploitation attempts. Regular vulnerability scanning and penetration testing should also be conducted to identify and address similar issues proactively.

    4. Executive Summary
    CVE-2024-20990 is a medium-severity vulnerability affecting Oracle E-Business Suite Technology Stack, specifically the Templates component. It allows unauthenticated attackers to gain unauthorized read access to sensitive data, posing a risk to data confidentiality. While the vulnerability does not impact system integrity or availability, its exploitation could lead to reputational damage, regulatory penalties, and financial losses.

    The vulnerability is easily exploitable, requiring only network access and no user interaction. Organizations using affected versions of Oracle E-Business Suite (12.2.3 to 12.2.13) should prioritize applying the patches provided by Oracle to mitigate the risk. Immediate action is recommended to prevent potential data breaches and ensure compliance with data protection regulations. By addressing this vulnerability promptly, organizations can safeguard sensitive information and maintain customer trust.