CVE-2018-3235 - OpenCVE

Vendors	Products
Oracle	Applications Manager

Link	Providers
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105620
http://www.securitytracker.com/id/1041897

{"containers": {"cna": {"affected": [{"product": "Applications Manager", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "12.1.3"}, {"status": "affected", "version": "12.2.3"}, {"status": "affected", "version": "12.2.4"}, {"status": "affected", "version": "12.2.5"}, {"status": "affected", "version": "12.2.6"}, {"status": "affected", "version": "12.2.7"}]}], "datePublic": "2018-10-16T00:00:00", "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: None). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)."}], "problemTypes": [{"descriptions": [{"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T09:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "1041897", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041897"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "105620", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105620"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2018-3235", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Applications Manager", "version": {"version_data": [{"version_affected": "=", "version_value": "12.1.3"}, {"version_affected": "=", "version_value": "12.2.3"}, {"version_affected": "=", "version_value": "12.2.4"}, {"version_affected": "=", "version_value": "12.2.5"}, {"version_affected": "=", "version_value": "12.2.6"}, {"version_affected": "=", "version_value": "12.2.7"}]}}]}, "vendor_name": "Oracle Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: None). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data."}]}]}, "references": {"reference_data": [{"name": "1041897", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041897"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "105620", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105620"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:43:35.113Z"}, "title": "CVE Program Container", "references": [{"name": "1041897", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041897"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "105620", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105620"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2018-3235", "datePublished": "2018-10-17T01:00:00", "dateReserved": "2017-12-15T00:00:00", "dateUpdated": "2024-08-05T04:43:35.113Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:applications_manager:12.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "C2FDF7A2-A97E-46CD-8F20-BF4A1C4F0058", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:applications_manager:12.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "BB2D2D24-EA72-498B-85F7-BC6E5C84DBCA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:applications_manager:12.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "A63E4612-0D49-4EAE-80B8-8E3FF1788F34", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:applications_manager:12.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "96DB997D-7686-4B5E-8816-58A4E0009AB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:applications_manager:12.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "25B77673-EA2B-4C7E-915E-0CD3AAC67F57", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:applications_manager:12.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "A6DBA20B-212A-4F70-96BD-653B36D6A928", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: None). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Oracle Applications Manager en Oracle E-Business Suite (subcomponente: ninguno). Las versiones compatibles que se han visto afectadas son la 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 y la 12.2.7. Esta vulnerabilidad f\u00e1cilmente explotable permite que un atacante sin autenticar con acceso en red via HTTP comprometa la seguridad de Oracle Applications Manager. Para que los ataques tengan \u00e9xito, se necesita la participaci\u00f3n de otra persona diferente del atacante y, aunque la vulnerabilidad est\u00e1 presente en Oracle Applications Manager, los ataques podr\u00edan afectar seriamente a productos adicionales. Los ataques exitosos de esta vulnerabilidad pueden resultar en un acceso no autorizado a datos de suma importancia o un acceso completo a todos los datos accesibles de Oracle Applications Manager; as\u00ed como en la actualizaci\u00f3n, inserci\u00f3n o supresi\u00f3n sin autorizaci\u00f3n de algunos de los datos accesibles de Oracle Applications Manager. CVSS 3.0 Base Score 8.2 (impactos de confidencialidad e integridad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)."}], "id": "CVE-2018-3235", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-17T01:31:25.307", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105620"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041897"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object