Cyber Resilience

CVE-2012-0518

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 16 October 2012

Published
16 October 2012
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
EPSS Score 0.2090 95.8th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0518 is a medium-severity Open Redirect (CWE-601) vulnerability in Oracle Fusion Middleware. Its CVSS base score is 4.7 (Medium).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an unspecified flaw, tracked as CWE-601, in the Oracle Application Server Single Sign-On component of Oracle Fusion Middleware 10.1.4.3.0. It permits remote attackers to affect system integrity through unknown vectors related to redirects and is distinct from CVE-2012-3175. The associated CVSS 3.1 score is 4.7 with an attack vector of network, low complexity, no privileges required, and user interaction needed, resulting in changed scope and limited integrity impact without confidentiality or availability effects.

Remote unauthenticated attackers can exploit the issue by supplying crafted redirect parameters that cause the Single Sign-On service to forward legitimate users to arbitrary destinations under attacker control, thereby compromising the integrity of the authentication flow.

Oracle's October 2012 Critical Patch Update and related Mandriva advisories address the flaw through available patches for the affected Fusion Middleware version. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world use.

EU & UK References

Vulnerability details

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3.0 allows remote attackers to affect integrity via unknown vectors related to Redirects, a different vulnerability than CVE-2012-3175.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
fusion middleware
10.1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates redirect parameters supplied to the SSO service so that only authorized destinations are accepted, directly blocking the open-redirect vector.

prevent

Enforces information-flow rules that restrict SSO redirects to explicitly permitted endpoints, preventing attacker-controlled destination changes.

prevent

Access-enforcement mechanisms can be configured to allow only pre-approved redirect targets within the Single Sign-On authentication flow.

References