CVE-2022-21472

Name of the Vulnerable Software and Affected Versions Oracle FLEXCUBE Universal Banking versions 12.4, 14.0 through 14.3, 14.5

Description The issue exists due to insufficient input validation in the Infrastructure component of Oracle FLEXCUBE Universal Banking. This allows a remote attacker to gain read access to data or cause a partial denial of service using specially crafted HTTP requests. The attacker must have low privileges and network access via HTTP. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data, including creation, deletion, or modification of data, as well as unauthorized read access to a subset of data.

Recommendations For version 12.4, update to a version that includes the fix for this issue. For versions 14.0 through 14.3, update to a version that includes the fix for this issue. For version 14.5, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Infrastructure component until a patch is available.