CVE-2019-2557
published 2019-04-23CVE-2019-2557: Vulnerability in the Oracle Application Testing Suite component of Oracle Enterprise Manager Products Suite (subcomponent: Load Testing for Web Apps). The…
PriorityP345medium6.3CVSS 3.0
AVNACLPRLUINSUCLILAL
EXPLOIT
EPSS
5.50%
91.8th percentile
Vulnerability in the Oracle Application Testing Suite component of Oracle Enterprise Manager Products Suite (subcomponent: Load Testing for Web Apps). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Testing Suite accessible data as well as unauthorized read access to a subset of Oracle Application Testing Suite accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Testing Suite. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | application_testing_suite | — | — |
| oracle_corporation | application_testing_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the DownloadServlet endpoint in Oracle Application Testing Suite (OATS) Load Testing interface for directory traversal patterns (e.g., '../' sequences in parameters) ↗
- →Alert on low-privileged authenticated HTTP requests to OATS that result in access to configuration files containing encrypted credentials, which may indicate chained exploitation toward RCE ↗
- →Flag authentication attempts using the built-in default accounts ('default' and 'administrator') against OATS Load Testing interface over HTTP, as these are the primary targets for pre-exploitation access ↗
- ·Exploitation requires authentication (low-privileged); attackers will first need valid credentials — monitor for brute-force or credential stuffing against OATS login before traversal activity ↗
- ·Only version 13.3.0.1 of Oracle Application Testing Suite is confirmed affected; scope detection rules accordingly ↗
- ·The vulnerability is exploitable over HTTP (not HTTPS-only), so network-level inspection of plaintext HTTP traffic to OATS is viable for detection ↗
CVSS provenance
nvdv3.06.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-04-23
Published