CVE-2015-4849 - OpenCVE

Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	E-business Suite

Configuration 1 [-]

OR	cpe:2.3:a:oracle:e-business_suite:11.5.10.2:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.0.6:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.1.3:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.3:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.4:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html
http://seclists.org/fulldisclosure/2015/Oct/112
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/archive/1/536789/100/0/threaded
http://www.securityfocus.com/bid/77243
http://www.securitytracker.com/id/1033877
https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2015-10-21T23:00:00

Updated: 2024-08-06T06:25:21.941Z

Reserved: 2015-06-24T00:00:00

Link: CVE-2015-4849

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-10-21T23:59:17.387

Modified: 2018-12-10T19:29:10.360

Link: CVE-2015-4849

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-21T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-10T17:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "1033877", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033877"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"tags": ["x_refsource_MISC"], "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/77243"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2015-4849", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1033877", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033877"}, {"name": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"name": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/", "refsource": "MISC", "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "refsource": "BID", "url": "http://www.securityfocus.com/bid/77243"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:25:21.941Z"}, "title": "CVE Program Container", "references": [{"name": "1033877", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033877"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/77243"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2015-4849", "datePublished": "2015-10-21T23:00:00", "dateReserved": "2015-06-24T00:00:00", "dateUpdated": "2024-08-06T06:25:21.941Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "80B61990-9CC2-4215-9879-AC817F4E6767", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "4C6BAB4D-1DF5-4ECB-A07E-297A94664BBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "9E42C3CE-CA98-4C13-B41E-DF7A3FEC560F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "86D2B444-B8D8-4A3D-BCCA-3B5280F05A38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "0FDD0B52-77F6-4607-84F8-1BCF99DB1B23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}, {"lang": "es", "value": "Vulnerabilidad no especificada en el componente Oracle Payments en Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3 y 12.2.4 permite a atacantes remotos afectar a la confidencialidad, la integridad y la disponibilidad a trav\u00e9s de vectores desconocidos relacionados con Punch-in. NOTA: la informaci\u00f3n anterior es de la CPU de Octubre de 2015. Oracle no ha comentado sobre alegaciones de terceros que consideran que este problema es una vulnerabilidad de Entidad Externa XML (XXE), lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio o llevar a cabo ataques SMB Relay a trav\u00e9s de un DTD manipulado en una petici\u00f3n XML a OA_HTML/IspPunchInServlet."}], "id": "CVE-2015-4849", "lastModified": "2018-12-10T19:29:10.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-21T23:59:17.387", "references": [{"source": "secalert_us@oracle.com", "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"source": "secalert_us@oracle.com", "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/77243"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id/1033877"}, {"source": "secalert_us@oracle.com", "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}