CVE-2021-2463
published 2021-07-21CVE-2021-2463: Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.60%
72.8th percentile
Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are 11.0.0, 11.1.0, 11.2.0 and 11.3.0-11.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | commerce_platform | — | — |
| oracle | commerce_platform | — | — |
| oracle | commerce_platform | — | — |
| oracle | commerce_platform | 11.3.0 – 11.3.2 | — |
| oracle_corporation | commerce_platform | — | — |
| oracle_corporation | commerce_platform | — | — |
| oracle_corporation | commerce_platform | — | — |
| oracle_corporation | commerce_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable over HTTP with no authentication required (network access, no privileges, no user interaction) targeting Oracle Commerce Platform's Dynamo Application Framework component ↗
- →Successful exploitation results in full takeover (C/I/A all HIGH) — monitor for anomalous unauthenticated HTTP requests to Oracle Commerce Platform endpoints and any unexpected process execution or privilege escalation originating from the Dynamo Application Framework ↗
- ·Affected versions are Oracle Commerce Platform 11.0.0, 11.1.0, 11.2.0, and 11.3.0 through 11.3.2 — ensure detection/patching scope covers all these versions ↗
- ·The vulnerable component is specifically the Dynamo Application Framework within Oracle Commerce Platform; scope detection rules to traffic targeting this component ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pqq8-443h-rp48: Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework)
ghsa_unreviewed·2022-05-24
CVE-2021-2463 [CRITICAL] GHSA-pqq8-443h-rp48: Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework)
Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are 11.0.0, 11.1.0, 11.2.0 and 11.3.0-11.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Oracle
Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework — CVE-2021-2463
vendor_oracle·2021-07-15·CVSS 9.8
CVE-2021-2463 [CRITICAL] Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework — CVE-2021-2463
Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework vulnerability
CVE: CVE-2021-2463
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-21
Published