CVE-2022-21497

Name of the Vulnerable Software and Affected Versions Oracle Web Services Manager versions 12.2.1.3.0 through 12.2.1.4.0

Description The issue is related to insufficient input validation in the Web Services Security component. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Services Manager, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all Oracle Web Services Manager accessible data, as well as unauthorized access to critical data or complete access to all Oracle Web Services Manager accessible data. The attacker can exploit this issue by sending specially crafted HTTP requests.

Recommendations For versions 12.2.1.3.0 and 12.2.1.4.0, consider restricting access to the Web Services Security component until a patch is available. As a temporary workaround, limit the use of HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.