Impact
A vulnerability exists in the Oracle Project Portfolio Analysis component of Oracle E‑Business Suite that allows an attacker with high privileges to exploit an HTTP interface. The flaw permits full compromise of the application, leading to loss of confidentiality, integrity, and availability. The CVSS 3.1 base score of 7.2 reflects data‑owner compromise with no user interaction required. Once the vulnerability is triggered, the attacker gains administrative control over the Project Portfolio Analysis service, effectively taking over the entire application.
Affected Systems
Oracle Corporation’s Oracle Project Portfolio Analysis product, part of the Internal Operations component of Oracle E‑Business Suite, is affected in versions 12.2.3 through 12.2.15. The product is accessed via HTTP; only systems that expose this interface over the network are at risk.
Risk and Exploitability
The CVSS score of 7.2 indicates a high‑risk flaw, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based exploit through the HTTP interface, requiring the attacker to already possess high‑privilege credentials or to exploit a credential‑related weakness; this inference is drawn from the description that a high‑privileged attacker with network access can compromise the service. Because the vulnerability permits full administrative takeover of the Project Portfolio Analysis application, the impact on confidentiality, integrity and availability is severe and warrants prompt remediation.
OpenCVE Enrichment