CVE-2025-61884
CVE-2025-61884
In short
A flaw in Oracle Configurator (part of E-Business Suite versions 12.2.3-12.2.14) allows attackers to access sensitive data without authentication over the network. An attacker can exploit this through a simple HTTP request to read confidential information.
Technical detail
Path traversal, authentication bypass, and HTTP request smuggling weaknesses in the Runtime UI component enable unauthenticated remote attackers to access restricted data. The vulnerability requires only network access and no user interaction; successful exploitation results in high confidentiality impact with unauthorized access to critical Configurator data.
Summary generated and translated by AI from the official description.
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Oracle Corporation · Oracle Configurator⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://blogs.oracle.com/security/post/apply-july-2025-cpuhttps://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884https://www.oracle.com/security-alerts/alert-cve-2025-61884.html