A flaw in the Web Runtime Security component of Oracle JD Edwards EnterpriseOne Tools permits an unauthenticated attacker to obtain network access via HTTP and exploit the vulnerability. The primary effect is unauthorized disclosure of critical data, coupled with the ability to insert, update, or delete data that the user does not normally have permission to modify. The underlying weakness is an improper authorization check that allows access to protected resources. The impact affects confidentiality at a high level and integrity at a low-to-moderate level, with the capability to alter or compromise business data within the application.

Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 are affected. The vulnerability may also impact additional JD Edwards products that are connected to or shared with the afflicted tool, as the scope of the weakness expands beyond the primary product.

The CVSS base score of 9.3 signals a critical vulnerability, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is listed as not included in the CISA KEV catalog. It is inferred that an attacker can exploit this weakness by sending crafted HTTP requests to the JD Edwards EnterpriseOne Tools web interface. Because no authentication or privilege is required, the risk to organizations running these supported versions is significant, especially for those with exposed HTTP endpoints to the public or untrusted networks.