Impact
A flaw in JD Edwards EnterpriseOne Human Resources Management (version 9.2) permits an unauthenticated attacker to create, delete, or modify data, or to read sensitive information without permission. The vulnerability is tied to weaknesses in authentication and authorization controls, as identified by CWE-284 and CWE-306. The impact includes loss of data integrity and confidentiality for all HR data accessible via the product.
Affected Systems
Oracle Corporation’s JD Edwards EnterpriseOne Human Resources Management version 9.2 is the only product affected. Users running this edition expose HR data to parties with network connectivity to the HTTP interface.
Risk and Exploitability
The CVSS v3.1 base score of 9.1 classifies the vulnerability as critical, with immediate impact on confidentiality and integrity. However, the EPSS score is less than 1%, indicating a very low, though nonzero, likelihood of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this weakness over the network via HTTP without authentication, implying that any system exposed to the public or untrusted network segments faces significant risk.
OpenCVE Enrichment