CVE-2021-2017

CWE-444 — HTTP Request Smuggling CWE-125 — Out-of-bounds Read CWE-362 — Race Condition CWE-79 — Cross-site Scripting (XSS)CWE-80 CWE-416 — Use After Free30 documents16 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 46.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle User Management Oracle Corporation User Management Oracle Enterprise Data Quality +1 more

Timeline

PublishedJan 20

Latest updateApr 11

Description

Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Proxy User Delegation). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle User Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle User Management accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDoracle/user_management12.2.3 — 12.2.10+1

▶CVEListV5oracle_corporation/user_management12.1.3, 12.2.3-12.2.10+1

▶NVDoracle/enterprise_data_quality11.1.1.9.0, 12.2.1.3.0+1

▶NVDoracle/retail_invoice_matching13.2, 14.0, 14.1+2

🔴Vulnerability Details

GHSA

Mautic vulnerable to stored cross-site scripting in description field↗2024-04-11

▶

OSV

check-mk vulnerabilities↗2022-07-20

▶

GHSA

GHSA-c9vm-6m38-wr3x: Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Proxy User Delegation)↗2022-05-24

▶

GHSA

HTTP request smuggling in Undertow↗2021-06-16

▶

CVEList

CVE-2021-2017: Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Proxy User Delegation)↗2021-01-20

▶

💥Exploits & PoCs

Exploit-DB

OpenEMR 5.0.0 - Remote Code Execution (Authenticated)↗2021-06-11

▶

Exploit-DB

SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow↗2021-03-29

▶

📋Vendor Advisories

Red Hat

kernel: net: fix use-after-free in tw_timer_handler↗2024-02-27

▶

Red Hat

apr: Regression of CVE-2017-12613 fix in apr 1.7↗2021-08-23

▶

Oracle

Oracle Oracle Siebel CRM Risk Matrix: Cloud Gateway (Zookeeper) — CVE-2017-5637↗2021-07-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Sales Audit Maintenance (Apache POI) — CVE-2017-12626↗2021-04-15

▶

CVE-2021-22974: On BIG-IP version 16↗2021-02-12

▶

🕵️Threat Intelligence

Sentinelone

Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022↗2022-04-28

▶

Trendmicro

FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal↗2021-09-29

▶

💬Community

Bugzilla

CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option↗2017-03-02

▶