Impact
A flaw in the Web Runtime Security component of Oracle JD Edwards EnterpriseOne Tools allows an unauthenticated attacker with network access via HTTP to exploit the vulnerability. The flaw permits unauthorized disclosure of critical data and provides the attacker with the ability to insert, update, or delete data that the user does not have permission to modify. The weakness arises from a lack of authentication, improper authorization checks, and potential information disclosure, resulting in high impacts to confidentiality and moderate impacts to integrity. The vulnerability’s scope is changed, meaning it can also affect other JD Edwards products that share or interact with the compromised tool.
Affected Systems
Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 are affected. The flaw may also impact additional JD Edwards products that are connected to or share data with the affected tool.
Risk and Exploitability
The CVSS base score of 9.3 signals a critical vulnerability, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker can exploit this weakness by sending crafted HTTP requests to the JD Edwards EnterpriseOne Tools web interface, gaining unauthorized access and modification rights because no authentication or privilege is required.
OpenCVE Enrichment