Vulnerability in the Oracle Universal Work Queue product, specifically the Work Provider Site Level Administration component, permits a low‑privileged attacker with network access via HTTP to compromise the system. Successful exploitation results in a full takeover of the Oracle Universal Work Queue, impacting confidentiality, integrity, and availability. The CVSS 3.1 rating is 9.9 with a vector indicating network access, low attack complexity, low privileges, no user interaction, and a scope change that may affect additional components. This indicates a severe remote code execution scenario.

Oracle Universal Work Queue of Oracle E‑Business Suite. Versions 12.2.3 through 12.2.15 are affected; no other versions are listed as impacted. The flaw resides in the Work Provider Site Level Administration sub‑component.

The CVSS base score of 9.9 marks it as critical. Though the EPSS indicates a very low exploitation probability (<1%), the existence of a remote HTTP interface and the scope‑changing nature of the bug means that attackers can act from outside the organization with simple credentials. The vulnerability is not listed in CISA’s KEV catalog. Any exploitation requires network connectivity to the affected HTTP service and a low‑privileged account, after which the attacker can gain full control of the Oracle Universal Work Queue and potentially additional components.