cbcvebase.
CVE-2020-2961
published 2020-04-15

CVE-2020-2961: Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Discovery Framework (Oracle OHS)). Supported versions…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.84%
76.4th percentile
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Discovery Framework (Oracle OHS)). Supported versions that are affected are 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oracleenterprise_manager_base_platform
oracleenterprise_manager_base_platform
oracle_corporationenterprise_manager_base_platform
oracle_corporationenterprise_manager_base_platform

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable via HTTP by an unauthenticated remote attacker targeting the Discovery Framework (Oracle OHS) component of Oracle Enterprise Manager Base Platform
  • Affected versions are Enterprise Manager Base Platform 13.2.0.0 and 13.3.0.0; monitor for exploitation attempts against these specific versions
  • Successful exploitation results in full takeover (C/I/A all HIGH); treat any anomalous unauthenticated HTTP activity against the Discovery Framework / Oracle OHS endpoint as high-priority
  • ·No authentication or user interaction is required, and network complexity is low (AC:L/PR:N/UI:N), meaning the attack surface is broad — any network-accessible instance of the affected versions is at risk
  • ·The vulnerable component is specifically Oracle OHS within the Discovery Framework; detections should be scoped to that sub-component rather than all of Oracle Enterprise Manager

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.