cbcvebase.
CVE-2021-35652
published 2021-10-20

CVE-2021-35652: Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). The supported versions that are affected are Prior to…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.81%
75.9th percentile
Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). The supported versions that are affected are Prior to 11.1.2.4.046 and Prior to 21.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services. While the vulnerability is in Essbase Administration Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Essbase Administration Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oracleessbase_administration_services< 11.1.2.4.04611.1.2.4.046
oracleessbase_administration_services>= 21.0 < 21.321.3
oracle_corporationhyperion_essbase_administration_services>= unspecified < 11.1.2.4.04611.1.2.4.046
oracle_corporationhyperion_essbase_administration_services>= unspecified < 21.321.3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploitable over HTTP by an unauthenticated remote attacker with network access, targeting the Essbase Administration Services (EAS) Console component. Monitor for unexpected/unauthenticated HTTP requests to EAS Console endpoints.
  • Successful exploitation can result in full takeover of Essbase Administration Services with scope change impacting additional products. Alert on anomalous activity or privilege escalation originating from the EAS Console service.
  • The vulnerability carries a CVSS 3.1 Base Score of 10.0 with Scope:Changed and full C/I/A impact, indicating lateral movement potential beyond the EAS Console itself. Treat any compromise of EAS Console as a potential pivot point to connected Essbase infrastructure.
  • ·Only Essbase Administration Services versions prior to 11.1.2.4.046 and prior to 21.3 are affected. Verify the deployed version before applying detection logic, as patched instances (11.1.2.4.046+ or 21.3+) are not vulnerable.
  • ·The vulnerability resides specifically in the EAS Console component of the Essbase Administration Services product. Detection and patching efforts should be scoped to this component.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.