cbcvebase.
CVE-2021-2463
published 2021-07-21

CVE-2021-2463: Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.60%
72.8th percentile
Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are 11.0.0, 11.1.0, 11.2.0 and 11.3.0-11.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

8 ranges
VendorProductVersion rangeFixed in
oraclecommerce_platform
oraclecommerce_platform
oraclecommerce_platform
oraclecommerce_platform11.3.0 – 11.3.2
oracle_corporationcommerce_platform
oracle_corporationcommerce_platform
oracle_corporationcommerce_platform
oracle_corporationcommerce_platform

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable over HTTP with no authentication required (network access, no privileges, no user interaction) targeting Oracle Commerce Platform's Dynamo Application Framework component
  • Successful exploitation results in full takeover (C/I/A all HIGH) — monitor for anomalous unauthenticated HTTP requests to Oracle Commerce Platform endpoints and any unexpected process execution or privilege escalation originating from the Dynamo Application Framework
  • ·Affected versions are Oracle Commerce Platform 11.0.0, 11.1.0, 11.2.0, and 11.3.0 through 11.3.2 — ensure detection/patching scope covers all these versions
  • ·The vulnerable component is specifically the Dynamo Application Framework within Oracle Commerce Platform; scope detection rules to traffic targeting this component

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.