Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Oracle E-Business Suite Unauthenticated Remote Code Execution

Description

Oracle E-Business Suite (EBS), is an integrated set of business applications for automating customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management (SCM) processes within organizations.

Oracle EBS versions 12.2.3-12.2.11 are affected by a vulnerability in the Oracle Web Applications Desktop Integrator product (component: Upload). The servlet BneAbstractXMLServlet is vulnerable to a zip slip vulnerability that allows an attacker to upload and overwrite arbitrary files.

Remediation

It's recommended to upgrade to the latest version of Oracle E-Business Suite (EBS).

References

Oracle Critical Patch Update Advisory - October 2022

CVE-2022-21587 (Oracle E-Business Suite Unauthenticated RCE)

Zip Slip Vulnerability

Related Vulnerabilities

Drupal Core 5.x Arbitrary Code Execution (5.0 - 5.2)

WordPress Plugin WP Easy Stats 'homep' Parameter Remote File Include (1.8)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-40177)

WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (4.2997)

XWikiplatform Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2024-31996)

Severity

High

Classification

CVE-2022-21587 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Arbitrary File Creation