CVE-2021-2080

Name of the Vulnerable Software and Affected Versions: Oracle Configurator versions 12.1 through 12.2

Description: The issue exists due to insufficient input validation in the UI Servlet component of Oracle Configurator, allowing a remote attacker to gain unauthorized access to protected information or modify, add, or delete data via the HTTP protocol. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle Configurator accessible data, as well as unauthorized update, insert, or delete access to some of Oracle Configurator accessible data.

Recommendations: For versions 12.1 and 12.2, consider disabling the UI Servlet component until a patch is available to prevent exploitation. Restrict access to the UI Servlet component to minimize the risk of unauthorized data access or modification. Avoid using the HTTP protocol for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.