CVE-2020-2733
published 2020-04-15CVE-2020-2733: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.64%
96.9th percentile
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | — | — |
| oracle_corporation | jd_edwards_enterpriseone_tools | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/manage/fileDownloader?sec=1
port8999
- →Send an unauthenticated HTTP GET request to /manage/fileDownloader?sec=1 and check for the string 'ACHCJK' in the response body, Content-Type header of 'text/plain', and HTTP 200 status code — all three must match to confirm exploitation.
- →Identify exposed JD Edwards EnterpriseOne Tools instances via Shodan by querying for WebLogic Server on port 8999.
- ·The vulnerability is exploitable with no authentication (PR:N, UI:N) over HTTP, meaning no credentials or user interaction are required to trigger the vulnerable endpoint. ↗
- ·Only version 9.2 of JD Edwards EnterpriseOne Tools is confirmed affected; scope detection efforts accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics — CVE-2020-2733
vendor_oracle·2020-04-15·CVSS 9.8
CVE-2020-2733 [CRITICAL] Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics — CVE-2020-2733
Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics vulnerability
CVE: CVE-2020-2733
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
GHSA
GHSA-6rch-jwj8-2v8f: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
ghsa_unreviewed·2022-05-24
CVE-2020-2733 [HIGH] GHSA-6rch-jwj8-2v8f: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
No detection rules found.
Nuclei
JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure
nuclei·CVSS 9.8
CVE-2020-2733 [CRITICAL] JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure
JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure
JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2020-2733
info:
name: JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure
author: DhiyaneshDk,pussycat0x
severity: critical
description: |
JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative
No writeups or analysis indexed.
2020-04-15
Published