Impact
An unauthenticated attacker with network access via HTTP can exploit a flaw in the Content Server component of Oracle WebCenter Content. The vulnerability allows the attacker to execute arbitrary code, potentially taking full control of the application. Successful exploitation compromises confidentiality, integrity, and availability of the affected instance, resulting in a complete takeover.
Affected Systems
Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 are vulnerable. The flaw’s scope change may affect other Oracle products that interact with WebCenter Content, but the primary targets remain the listed releases.
Risk and Exploitability
The CVSS v3.1 base score of 9.0 categorizes this as Critical, with no authentication, high complexity, no user interaction, and changed scope. The EPSS score of less than 1% indicates a low current exploitation probability, but the severity remains high. Because the vulnerability is reached over HTTP, it can be triggered remotely from any location that can contact the WebCenter Content service. The weakness involves incorrect permission evaluation (CWE-284), enabling the attacker to bypass access controls and execute code.
OpenCVE Enrichment