CVE-2019-2899

Name of the Vulnerable Software and Affected Versions Oracle JDeveloper and ADF versions 11.1.1.9.0 through 12.2.1.3.0

Description The issue is related to insufficient access control in the OAM component of Oracle JDeveloper and ADF, allowing a remote attacker to gain unauthorized access to protected information via the HTTP protocol. The attack requires human interaction from someone other than the attacker and can result in unauthorized read access to a subset of accessible data.

Recommendations For versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, and 12.2.1.3.0, consider restricting access to the OAM component until a patch is available. As a temporary workaround, consider disabling the vulnerable OAM component to minimize the risk of exploitation. Restrict network access via HTTP to the Oracle JDeveloper and ADF product to reduce the attack surface.