CVE-2012-0518
Published: 16 October 2012
Summary
CVE-2012-0518 is a medium-severity Open Redirect (CWE-601) vulnerability in Oracle Fusion Middleware. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an unspecified flaw, tracked as CWE-601, in the Oracle Application Server Single Sign-On component of Oracle Fusion Middleware 10.1.4.3.0. It permits remote attackers to affect system integrity through unknown vectors related to redirects and is distinct from CVE-2012-3175. The associated CVSS 3.1 score is 4.7 with an attack vector of network, low complexity, no privileges required, and user interaction needed, resulting in changed scope and limited integrity impact without confidentiality or availability effects.
Remote unauthenticated attackers can exploit the issue by supplying crafted redirect parameters that cause the Single Sign-On service to forward legitimate users to arbitrary destinations under attacker control, thereby compromising the integrity of the authentication flow.
Oracle's October 2012 Critical Patch Update and related Mandriva advisories address the flaw through available patches for the affected Fusion Middleware version. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-0550
Vulnerability details
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3.0 allows remote attackers to affect integrity via unknown vectors related to Redirects, a different vulnerability than CVE-2012-3175.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates redirect parameters supplied to the SSO service so that only authorized destinations are accepted, directly blocking the open-redirect vector.
Enforces information-flow rules that restrict SSO redirects to explicitly permitted endpoints, preventing attacker-controlled destination changes.
Access-enforcement mechanisms can be configured to allow only pre-approved redirect targets within the Single Sign-On authentication flow.