The Oracle Identity Manager Connector, part of Oracle Fusion Middleware, has a flaw in its core component that enables an unauthenticated attacker with HTTP network access to retrieve sensitive data. This vulnerability can permit full compromise of all data accessible through the connector, thereby exposing confidential information. The weakness carries a moderate severity, reflected by a CVSS 3.1 base score of 5.9, which underscores significant confidentiality impact while leaving integrity and availability unaffected.

Affected are Oracle Corporation’s Oracle Identity Manager Connector, version 12.2.1.4.0. The product is integrated within Oracle Fusion Middleware and the vulnerability resides in the core module. No other versions are currently known to be impacted.

The CVSS base score of 5.9 signals a moderate risk driven largely by confidentiality compromise. Because the exploit is described as difficult and EPSS data is unavailable, the likelihood of real‑world attacks remains uncertain, though not impossible. The vulnerability is not listed in CISA’s KEV catalog, indicating that large‑scale abuse has not yet been observed. The likely attack vector is an unauthenticated HTTP request routed over the network, meaning hosts exposed to the public or internal networks may be vulnerable if not appropriately shielded.