CVE-2016-0492

Name of the Vulnerable Software and Affected Versions Oracle Enterprise Manager Grid Control versions 12.4.0.2 through 12.5.0.2

Description The issue affects confidentiality and integrity, potentially allowing remote attackers to bypass authentication. It is related to Load Testing for Web Apps. There are claims that this could be a directory traversal vulnerability in the isAllowedUrl function, which may allow attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication, such as /olt/Login.do/../../olt/UploadFileUpload.do.

Recommendations For versions 12.4.0.2 and 12.5.0.2, consider restricting access to the Load Testing for Web Apps component until a patch is available. As a temporary workaround, consider disabling the isAllowedUrl function to prevent potential directory traversal attacks. Avoid using URI entries that do not require authentication in the affected Load Testing for Web Apps component until the issue is resolved.