CVE-2019-2489 - OpenCVE

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: OCM Query). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Oracle	E-business Suite

Configuration 1 [-]

OR	cpe:2.3:a:oracle:e-business_suite:12.1.3:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.3:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.4:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.5:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.6:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.7:::::::*
	cpe:2.3:a:oracle:e-business_suite:12.2.8:::::::*

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/106620	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: oracle

Published: 2019-01-16T19:00:00

Updated: 2019-01-17T10:57:01

Reserved: 2018-12-14T00:00:00

Link: CVE-2019-2489

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-01-16T19:30:33.827

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-2489

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "One-to-One Fulfillment", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "12.1.3"}, {"status": "affected", "version": "12.2.3"}, {"status": "affected", "version": "12.2.4"}, {"status": "affected", "version": "12.2.5"}, {"status": "affected", "version": "12.2.6"}, {"status": "affected", "version": "12.2.7"}, {"status": "affected", "version": "12.2.8"}]}], "datePublic": "2019-01-15T00:00:00", "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: OCM Query). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)."}], "problemTypes": [{"descriptions": [{"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-17T10:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "106620", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106620"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2019-2489", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "One-to-One Fulfillment", "version": {"version_data": [{"version_affected": "=", "version_value": "12.1.3"}, {"version_affected": "=", "version_value": "12.2.3"}, {"version_affected": "=", "version_value": "12.2.4"}, {"version_affected": "=", "version_value": "12.2.5"}, {"version_affected": "=", "version_value": "12.2.6"}, {"version_affected": "=", "version_value": "12.2.7"}, {"version_affected": "=", "version_value": "12.2.8"}]}}]}, "vendor_name": "Oracle Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: OCM Query). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data."}]}]}, "references": {"reference_data": [{"name": "106620", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106620"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}]}}}}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2019-2489", "datePublished": "2019-01-16T19:00:00", "dateReserved": "2018-12-14T00:00:00", "dateUpdated": "2019-01-17T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "9E42C3CE-CA98-4C13-B41E-DF7A3FEC560F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "86D2B444-B8D8-4A3D-BCCA-3B5280F05A38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "0FDD0B52-77F6-4607-84F8-1BCF99DB1B23", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "20ACF759-62E7-49D8-8F12-BE17B9CDCED7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "4CE8E3DE-52F5-4A15-BD38-683931DCD6EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "1041EDB2-0620-4968-AE2E-92D4784EA882", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "03141FEE-F3C9-4B20-AD11-D7DDA0F4A8D4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: OCM Query). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Oracle One-to-One Fulfillment de Oracle E-Business Suite (subcomponente: OCM Query). Las versiones compatibles que se han visto afectadas son la 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 y la 12.2.8. Una vulnerabilidad f\u00e1cilmente explotable permite que un atacante sin autenticar que tenga acceso a red por HTTP comprometa la seguridad de Oracle One-to-One Fulfillment. Los ataques exitosos a esta vulnerabilidad pueden resultar en el acceso no autorizado de creaci\u00f3n, supresi\u00f3n o modificaci\u00f3n de datos de suma importancia o de todos los datos accesibles de Oracle One-to-One Fulfillment, as\u00ed como el acceso sin autorizaci\u00f3n a datos de nivel de importancia cr\u00edtico o todos los datos accesibles de Oracle One-to-One Fulfillment. CVSS 3.0 Base Score 9.1 (impactos en la confidencialidad e integridad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)."}], "id": "CVE-2019-2489", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-16T19:30:33.827", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106620"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}