Cyber Resilience

CVE-2022-21500

High

Published: 20 May 2022

Published
20 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9374 99.9th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21500 is a high-severity an unspecified weakness vulnerability in Oracle E-Business Suite. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-21500 is a vulnerability in the Manage Proxies component of Oracle E-Business Suite version 12.2. The flaw is rated with a CVSS 3.1 base score of 7.5 and carries a confidentiality impact that can expose critical data or grant complete access to all data accessible within the application. Oracle E-Business Suite 12.1 is stated to be unaffected.

An attacker with network access via HTTP can exploit the issue. Although the description notes that authentication is required, it also indicates that the attacker may be a self-registered user, enabling unauthorized retrieval of sensitive information without additional privileges.

Oracle security alerts direct customers to the Patch Availability Document for remediation details and confirm that fixes are provided through the July 2022 Critical Patch Update. The associated EPSS score remains elevated near 0.94.

EU & UK References

Vulnerability details

Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in…

more

unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. <br> <br>Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
e-business suite
12.2
oracle
user management
12.2.4 — 12.2.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References