CVE-2022-21428

Name of the Vulnerable Software and Affected Versions Oracle FLEXCUBE Universal Banking versions 12.1 through 12.4 Oracle FLEXCUBE Universal Banking versions 14.0 through 14.3 Oracle FLEXCUBE Universal Banking version 14.5

Description The issue allows a low-privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized access to all Oracle FLEXCUBE Universal Banking accessible data. Additionally, it can lead to a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. The vulnerability exists due to insufficient input validation in the Infrastructure subcomponent.

Recommendations For versions 12.1 through 12.4, update to a version that includes the fix for this issue. For versions 14.0 through 14.3, update to a version that includes the fix for this issue. For version 14.5, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Infrastructure subcomponent until a patch is available. Restrict HTTP access to the Oracle FLEXCUBE Universal Banking system to minimize the risk of exploitation.