CVE-2020-2946

Name of the Vulnerable Software and Affected Versions Oracle Enterprise Manager versions 12.1.0.5, 13.2.0.0, 13.3.0.0

Description The issue is related to insufficient access control in the Application Performance Management component of Oracle Enterprise Manager, specifically in the EM Request Monitoring module. This can be exploited by a remote attacker to gain unauthorized access to sensitive information or to modify, add, or delete data using the HTTP protocol. Successful attacks can result in unauthorized access to critical data, complete access to all accessible data, or the ability to update, insert, or delete data, as well as cause a partial denial of service.

Recommendations For versions 12.1.0.5, 13.2.0.0, and 13.3.0.0, consider restricting access to the EM Request Monitoring component until a patch is available. As a temporary workaround, limit the use of the HTTP protocol for accessing the Application Performance Management product to minimize the risk of exploitation. Restrict network access to the Application Performance Management component to reduce the potential for unauthorized access.