Impact
A vulnerability exists in Oracle Spares Management’s Internal Operations component that allows an attacker with low privileges and HTTPS network access to take over the system. The flaw results in complete loss of confidentiality, integrity, and availability for the affected component, as confirmed by the CVSS 3.1 base score of 8.8. This high‑severity weakness involves improper authentication and authorization (CWE-269, CWE-287, CWE-306).
Affected Systems
Oracle Spares Management, part of Oracle E‑Business Suite, versions 12.2.3 through 12.2.15 are impacted; later releases are not affected.
Risk and Exploitability
The vulnerability’s CVSS vector indicates a network‑based attack (AV:N) with low authentication (PR:L) and no user interaction (UI:N). The EPSS score is below 1 %, suggesting a low current exploitation probability, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, an attacker who can reach the HTTPS interface can exploit the flaw to fully control the application, potentially facilitating lateral movement or data exfiltration.
OpenCVE Enrichment