CVE-2019-2660

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Description The issue is related to inadequate access control in the Oracle Knowledge Management component, specifically in the Setup and Admin subcomponents. This allows an unauthenticated attacker with network access via HTTP to compromise Oracle Knowledge Management, potentially leading to unauthorized access to critical data or complete access to all Oracle Knowledge Management accessible data. Successful attacks may also result in unauthorized update, insert, or delete access to some of Oracle Knowledge Management's accessible data. The attack requires human interaction from a person other than the attacker and can significantly impact additional products.

Recommendations For versions 12.1.1, 12.1.2, 12.1.3, update to a version that includes the necessary security patches to address the inadequate access control issue. For versions 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, apply the recommended security fixes to resolve the vulnerability in the Oracle Knowledge Management component. As a temporary workaround, consider restricting access to the vulnerable Setup and Admin subcomponents until a patch is available.