Description

Oracle E-Business Suite could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in iesRuntimeServlet endpoint. By using specially-crafted serialized data, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Oracle E-Business Suite

References

Oracle EBS Penetration testing tool

Related Vulnerabilities

Deserialization of Untrusted Data (XStream)

XML external entity injection (variant)

WordPress Plugin wpForo Forum Multiple Vulnerabilities (2.1.7)

Oracle Weblogic T3 XXE (CVE-2019-2888)

WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.15)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor