Impact
The vulnerability resides in the Job Costing component of Oracle JD Edwards EnterpriseOne Project Costing. An attacker with low privileges who can reach the JDENET network interface can exploit the flaw to create, delete, or modify critical data, or gain unauthorized access to all data accessible through the project costing module. The flaw allows full confidentiality and integrity compromise of the data but does not affect availability.
Affected Systems
Oracle JD Edwards EnterpriseOne Project Costing, version 9.2.
Risk and Exploitability
The CVSS v3.1 base score of 9.6 indicates a critical severity. The low EPSS value suggests that the vulnerability is not widely exploited yet, and it is not listed in the CISA KEV catalog. However, because the attack vector is a local network service (JDENET) and only low privileges are required, an attacker who can reach the JDENET endpoint can easily gain significant access. The scope change indicates that a successful exploitation in JD Edwards EnterpriseOne Project Costing may extend to other JD Edwards products, amplifying the potential impact.
OpenCVE Enrichment