CVE-2026-21977 - Vulnerability Details

- Unauthenticated Network Access Leading to Unauthorized Data Read in Oracle Zero Data Loss Recovery Appliance

Description

Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Published: 2026-01-20

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits an unauthenticated attacker with network access to Oracle Net to read restricted data from the Oracle Zero Data Loss Recovery Appliance without changing the system state. The lack of authorization enforcement allows the attacker to access a subset of data, potentially exposing sensitive information. The flaw is classified as affecting confidentiality only, with no impact on integrity or availability.

Affected Systems

Oracle Corporation's Zero Data Loss Recovery Appliance Software, specifically versions 23.1.0 through 23.1.202509, is vulnerable. The issue resides in the Security component of the appliance.

Risk and Exploitability

The CVSS v3.1 base score of 3.1 reflects a low severity confidentiality impact, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attacks would require a human to interact with the appliance after exploitation; network traffic over Oracle Net can trigger the read operation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Zero Data Loss Recovery Appliance Software

affected

Version	Status	Constraints
`23.1.0`	affected	≤ 23.1.202509

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle patch for Zero Data Loss Recovery Appliance Software
Upgrade to the most recent release version (23.1.202511 or later) if a patch is not available
Restrict network access to the appliance to trusted networks only, and limit Oracle Net connections to necessary parties
Enable detailed logging on the appliance and monitor for suspicious access attempts or unusual read patterns

Generated by OpenCVE AI on April 18, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Network Access Leading to Unauthorized Data Read in Oracle Zero Data Loss Recovery Appliance
Weaknesses		CWE-200 CWE-284

Wed, 21 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
First Time appeared		Oracle Oracle zero Data Loss Recovery Appliance Software
CPEs		cpe:2.3:a:oracle:zero_data_loss_recovery_appliance_software::::::::
Vendors & Products		Oracle Oracle zero Data Loss Recovery Appliance Software
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Subscriptions

Oracle Zero Data Loss Recovery Appliance Software

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:37.605Z

Updated: 2026-01-21T16:42:39.309Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21977

Vulnrichment

Updated: 2026-01-21T16:38:14.239Z

NVD

Status : Deferred

Published: 2026-01-20T22:16:00.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21977

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object