Impact
Oracle Coherence 15.1.1.0.0 contains an Improper Access Control flaw (CWE‑284) that permits an unauthenticated attacker to access the service via HTTP. The vulnerability allows the attacker to read, insert, update, or delete data that is exposed through the Coherence cache, and may also expand the scope of impact to other products that depend on Coherence. This flaw can be exploited with minimal effort and no credential disclosure is required, leading to significant confidentiality and integrity loss.
Affected Systems
The affected product is Oracle Corporation’s Oracle Coherence component, version 15.1.1.0.0. The advisory notes that other Oracle Fusion Middleware products that rely on Coherence could also be indirectly impacted by the same flaw, although no additional specific products are listed.
Risk and Exploitability
The CVSS vector indicates a high severity rating of 9.3, with network access, low attack complexity, no privileges, no user interaction, and a change of scope that can expose more systems. The EPSS score is below 1 %, suggesting that exploitation may be uncommon in the wild, but the vulnerability is listed as not in the CISA KEV catalog. Nonetheless, because the attack requires only network connectivity to an exposed HTTP endpoint, and no authentication, the potential for compromise remains significant and warrants urgent attention.
OpenCVE Enrichment