Impact
A critical security flaw in Oracle Coherence allows an unauthenticated attacker to exploit the system over HTTPS, resulting in full takeover of the Coherence service. The vulnerability is classified as an authentication bypass (CWE-306) and can be leveraged to compromise confidentiality, integrity, and availability, producing a CVSS v3.1 base score of 9.8.
Affected Systems
The affected versions are Oracle Coherence 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0; these releases provide the Oracle Fusion Middleware component Core that is vulnerable.
Risk and Exploitability
The low EPSS score (<1%) indicates that exploitation is unlikely at the time of this analysis, yet the high CVSS score and lack of KEV listing mean the Coherence HTTPS interface is exposed with no user authentication; once the flaw is leveraged, the attacker can achieve full system compromise.
OpenCVE Enrichment