Impact
The Siebel CRM Deployment product contains a flaw in its Database Upgrade component that permits an attacker who has logged on with a low‑privileged account on the server to change the privileges or configuration of the deployment. By exercising the upgrade functionality, the attacker can elevate privileges within the application, gaining full control. This results in the compromise of confidentiality, integrity, and availability of all data managed by Siebel CRM. The weakness manifests as insufficient access control (CWE-284), allowing the attacker to bypass normal authorization checks.
Affected Systems
Oracle Corporation’s Siebel CRM Deployment, versions 17.0 through 26.5, are affected. The vulnerability lies specifically in the Database Upgrade component of the deployment, and any build falling within that version range that includes this component is vulnerable. The impact extends to all deployments of the Siebel CRM product tree that rely on the mentioned upgrade process.
Risk and Exploitability
The flaw is rated CVSS 3.1 Base Score of 7.8, categorizing it as high severity. The EPSS score of less than 1% indicates that real-world exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Because it requires local low‑privileged or administrative access to the host where Siebel CRM runs, it is a local attack vector and can be mitigated by restricting local account privileges. Successful exploitation would give an attacker complete control over application logic and data, creating a high risk scenario for organizations that rely on Siebel CRM.
OpenCVE Enrichment