Impact
The vulnerability resides in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools. An unauthenticated attacker with network access via JDENET can bypass normal authentication, allowing the attacker to compromise the application and ultimately take full control of JD Edwards EnterpriseOne Tools.
Affected Systems
Oracle JD Edwards EnterpriseOne Tools, versions 9.2.0.0 through 9.2.26.2, are affected. Systems that expose the JDENET interface to unauthenticated attackers are at risk; environments without JDENET connectivity are not impacted.
Risk and Exploitability
The flaw bears a CVSS v3.1 score of 9.8, indicating critical severity with full confidentiality, integrity and availability impacts. The EPSS score is below 1%, showing low historical exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires only remote network access to the JDENET service and does not need credentials, enabling an attacker to assume full control of JD Edwards EnterpriseOne Tools.
OpenCVE Enrichment