CVE-2019-2622

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1.1 through 12.1.3, 12.2.3 through 12.2.8

Description The issue is related to insufficient access controls in the Renewals subcomponent of Oracle Service Contracts, part of the Oracle E-Business Suite system. This can be exploited by a remote attacker to gain access to modify, add, or delete data using the HTTP protocol. The attack requires some interaction from a person other than the attacker and can significantly impact additional products beyond Oracle Service Contracts, resulting in unauthorized access to update, insert, or delete some accessible data.

Recommendations For versions 12.1.1 through 12.1.3, apply the necessary patches or updates to fix the access control issue in the Renewals subcomponent. For versions 12.2.3 through 12.2.8, apply the necessary patches or updates to fix the access control issue in the Renewals subcomponent. As a temporary workaround, consider restricting access to the Renewals subcomponent until a patch is available.