PT-2018-1429 · Oracle · Oracle Order Management+1
Published
2018-07-17
·
Updated
2019-10-03
·
CVE-2018-2954
CVSS v3.1
7.0
High
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
Description
The issue is related to insufficient access control in the Product Diagnostic Tools component of Oracle Order Management, allowing a low-privileged attacker with logon access to the infrastructure to compromise Oracle Order Management. Successful attacks can result in the takeover of Oracle Order Management.
Recommendations
For versions 12.1.1, 12.1.2, 12.1.3, update to a version that includes the necessary security patches to address the access control issue.
For versions 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, apply the recommended security fixes to resolve the vulnerability.
As a temporary workaround, consider restricting access to the Product Diagnostic Tools component until a patch is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oracle E-Business Suite
Oracle Order Management