CVE-2022-21500
Published: 20 May 2022
Summary
CVE-2022-21500 is a high-severity an unspecified weakness vulnerability in Oracle E-Business Suite. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-21500 is a vulnerability in the Manage Proxies component of Oracle E-Business Suite version 12.2. The flaw is rated with a CVSS 3.1 base score of 7.5 and carries a confidentiality impact that can expose critical data or grant complete access to all data accessible within the application. Oracle E-Business Suite 12.1 is stated to be unaffected.
An attacker with network access via HTTP can exploit the issue. Although the description notes that authentication is required, it also indicates that the attacker may be a self-registered user, enabling unauthorized retrieval of sensitive information without additional privileges.
Oracle security alerts direct customers to the Patch Availability Document for remediation details and confirm that fixes are provided through the July 2022 Critical Patch Update. The associated EPSS score remains elevated near 0.94.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26724
Vulnerability details
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in…
more
unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. <br> <br>Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.