Impact
A flaw in Oracle Cost Management’s Cost Planning component lets a low‑privileged user with network access via HTTP gain full control of the application. The vulnerability is exploitable without user interaction and can lead to the attacker taking over the Cost Management service, compromising the confidentiality, integrity, and availability of the affected data and processes.
Affected Systems
Oracle E‑Business Suite Oracle Cost Management versions 12.2.3 through 12.2.15 are affected.
Risk and Exploitability
The CVSS 3.1 base score of 8.8 indicates a high‑severity flaw. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a network‑based HTTP request. An attacker only needs network connectivity to the Cost Planning service and a low‑privileged account; no additional privileges or user interaction are required to exploit the privilege escalation that drives the takeover.
OpenCVE Enrichment