← back
CVE-2021-35587

CVE-2021-35587

CVSS 9.8 CRITICALEPSS 96.3%● KEVCWE-306
In short

Oracle Access Manager has a critical flaw that lets attackers take over the system without needing to log in. An attacker can access it over the network and gain complete control of the authentication service.

Technical detail

Unauthenticated remote code execution vulnerability in Oracle Access Manager (OpenSSO Agent) via HTTP. Requires only network access with no authentication, pre-conditions, or user interaction. Successful exploitation results in complete system compromise affecting confidentiality, integrity, and availability.

Summary generated and translated by AI from the official description.
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · Access Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35587https://www.oracle.com/security-alerts/cpujan2022.html