cbcvebase.
CVE-2022-21389
published 2022-01-19

CVE-2022-21389: Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager)…

PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.86%
76.6th percentile
Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager). Supported versions that are affected are 12.0.0.3 and 12.0.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Billing and Revenue Management. While the vulnerability is in Oracle Communications Billing and Revenue Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Communications Billing and Revenue Management. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclecommunications_billing_and_revenue_management
oraclecommunications_billing_and_revenue_management
oracle_corporationcommunications_billing_and_revenue_management
oracle_corporationcommunications_billing_and_revenue_management

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploitable over HTTP by an unauthenticated, remote attacker targeting the Connection Manager component of Oracle Communications Billing and Revenue Management
  • Scope is changed — successful exploitation can impact additional products beyond the directly vulnerable component, indicating potential for lateral movement or chained exploitation
  • Target affected versions 12.0.0.3 and 12.0.0.4 of Oracle Communications Billing and Revenue Management for prioritized detection and patching
  • ·No authentication or user interaction is required, meaning any network-accessible instance of the Connection Manager component is exposed with no prerequisite conditions
  • ·Full CIA triad impact (Confidentiality, Integrity, Availability) with a CVSS 3.1 Base Score of 10.0 and Changed scope — treat any exploitation as a full system takeover event

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.