cbcvebase.
CVE-2021-2302
published 2021-04-22

CVE-2021-2302: Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.67%
92.0th percentile
Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

6 ranges
VendorProductVersion rangeFixed in
oracleplatform_security_for_java
oracleplatform_security_for_java
oracleplatform_security_for_java
oracle_corporationplatform_security_for_java
oracle_corporationplatform_security_for_java
oracle_corporationplatform_security_for_java

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-2302 affects Oracle Platform Security for Java (OPSS) via HTTP — monitor for unauthenticated HTTP requests targeting OPSS endpoints on affected Oracle Fusion Middleware versions (11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0)
  • Successful exploitation results in full takeover (C/I/A all HIGH) — alert on any unexpected privilege escalation or unauthorized access originating from unauthenticated sessions against OPSS components
  • ·Affected versions are specifically 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 of Oracle Platform Security for Java (OPSS) within Oracle Fusion Middleware — scope detection and patching to these exact versions
  • ·Exploitation requires no authentication and no user interaction (PR:N/UI:N), meaning any network-accessible OPSS instance is at risk without compensating controls such as network segmentation or WAF filtering

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.