CVE-2019-2654

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Description The issue is related to inadequate access control in the Oracle One-to-One Fulfillment component, specifically the Print Server subcomponent. This allows an unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The impact can result in unauthorized access to critical data, complete access to all Oracle One-to-One Fulfillment accessible data, as well as unauthorized update, insert, or delete access to some of Oracle One-to-One Fulfillment accessible data.

Recommendations For versions 12.1.1, 12.1.2, 12.1.3, update to a version that includes the necessary security patches for the Oracle One-to-One Fulfillment component. For versions 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, apply the relevant security fixes to mitigate the vulnerability. As a temporary workaround, consider restricting access to the Print Server subcomponent until a patch is available. Restrict access to sensitive data and implement additional monitoring to detect potential exploitation attempts.