CVE-2022-21587
CVE-2022-21587
In short
A missing authentication check in Oracle Web Applications Desktop Integrator allows anyone on the network to upload files and take complete control of the application without needing a password or login.
Technical detail
Unauthenticated remote code execution vulnerability in the Upload component due to missing authentication controls (CWE-306). Attack requires only network access via HTTP with no preconditions; successful exploitation results in complete compromise of the application's confidentiality, integrity, and availability.
Summary generated and translated by AI from the official description.
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · Web Applications Desktop Integratorpublic PoCs found — 4
githubgithub.com/hieuminhnv/CVE-2022-21587-POC★ 15githubgithub.com/sahabrifki/CVE-2022-21587-Oracle-EBS-★ 6githubgithub.com/rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit★ 2cve_referencepacketstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →