CVE-2017-3548 - OpenCVE

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Peoplesoft Enterprise Peopletools

Configuration 1 [-]

OR	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*

No data.

References

Link	Providers
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
http://www.securityfocus.com/bid/97880
http://www.securitytracker.com/id/1038301
https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
https://www.exploit-db.com/exploits/41925/

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2017-04-24T19:00:00

Updated: 2024-08-05T14:30:57.996Z

Reserved: 2016-12-06T00:00:00

Link: CVE-2017-3548

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-04-24T19:59:04.393

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-3548

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PeopleSoft Enterprise PT PeopleTools", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "8.54"}, {"status": "affected", "version": "8.55"}]}], "datePublic": "2017-04-18T00:00:00", "descriptions": [{"lang": "en", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)."}], "problemTypes": [{"descriptions": [{"description": "Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-10T17:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "41925", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/41925/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"}, {"name": "1038301", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038301"}, {"name": "97880", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97880"}, {"tags": ["x_refsource_MISC"], "url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2017-3548", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PeopleSoft Enterprise PT PeopleTools", "version": {"version_data": [{"version_affected": "=", "version_value": "8.54"}, {"version_affected": "=", "version_value": "8.55"}]}}]}, "vendor_name": "Oracle Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools."}]}]}, "references": {"reference_data": [{"name": "41925", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/41925/"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"}, {"name": "1038301", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038301"}, {"name": "97880", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97880"}, {"name": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/", "refsource": "MISC", "url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:30:57.996Z"}, "title": "CVE Program Container", "references": [{"name": "41925", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/41925/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"}, {"name": "1038301", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038301"}, {"name": "97880", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97880"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2017-3548", "datePublished": "2017-04-24T19:00:00", "dateReserved": "2016-12-06T00:00:00", "dateUpdated": "2024-08-05T14:30:57.996Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*", "matchCriteriaId": "CDD82442-3535-4BB9-8888-F61A35B900AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", "matchCriteriaId": "45CB30A1-B2C9-4BF5-B510-1F2F18B60C64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)."}, {"lang": "es", "value": "Vulnerabilidad en el componente PeopleSoft Enterprise PeopleTools de Oracle PeopleSoft Products (subcomponente: Integration Broker). Versiones compatibles que son afectadas son 8.54 and 8.55. Vulnerabilidad f\u00e1cilmente explotable permite a atacante no autenticado con acceso a la red a trav\u00e9s de HTTP comprometer PeopleSoft Enterprise PeopleTools. Los ataques con \u00e9xito de esta vulnerabilidad pueden resultar en acceso de lectura no autorizado a un subconjunto de datos accesibles de PeopleSoft Enterprise PeopleTools y capacidad no autorizada para causar una denegaci\u00f3n parcial de servicio (DOS parcial) de PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidencialidad e Impactos de disponibilidad). CVSS 3.0 Base Score 6.5 (Confidentiality and Impactos de disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)."}], "id": "CVE-2017-3548", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-24T19:59:04.393", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97880"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038301"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/41925/"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}