CVE-2016-0488

Name of the Vulnerable Software and Affected Versions Oracle Enterprise Manager Grid Control versions 12.4.0.2 through 12.5.0.2

Description The issue affects confidentiality and integrity, potentially allowing remote attackers to bypass authentication and gain administrator access. It is related to Load Testing for Web Apps in the Oracle Application Testing Suite component. There are claims that this could be a directory traversal vulnerability in the isAllowedUrl function, which may allow attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication.

Recommendations For versions 12.4.0.2 and 12.5.0.2, consider restricting access to the admin pages as a temporary workaround until a patch is available. Avoid using URI entries that do not require authentication in the affected Load Testing for Web Apps component.