Impact
This issue is a case of CWE-287, an authentication failure weakness, where the Authentication Engine of Oracle Access Manager does not properly verify the identity of users, enabling an unauthenticated attacker with network access via HTTP to send requests that result in unauthorized update, insert, or delete operations on some data as well as unauthorized read access to a subset of data.
Affected Systems
The affected releases are Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0. The flaw is confined to the Authentication Engine of these versions, making only these bundles susceptible to exploitation.
Risk and Exploitability
The CVSS 3.1 base score of 6.5 signals moderate severity with confidentiality and integrity impacts, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is network‑based HTTP access; the attacker does not need valid credentials to target a vulnerable host.
OpenCVE Enrichment