Cyber Resilience

CVE-2023-21932

High

Published: 18 April 2023

Published
18 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.2437 96.2th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21932 is a high-severity an unspecified weakness vulnerability in Oracle Hospitality Opera 5 Property Services. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Vulnerability CVE-2023-21932 affects the OXI component of Oracle Hospitality OPERA 5 Property Services version 5.6 within Oracle Hospitality Applications. It is a difficult-to-exploit flaw that permits a high-privileged attacker with network access via HTTP to impact confidentiality, integrity, and availability, with a CVSS 3.1 base score of 7.2 reflecting high confidentiality impact alongside limited integrity and availability effects and a scope change that extends consequences to other products.

A successful attack by such an authenticated network attacker can yield unauthorized access to critical or all accessible data, permit unauthorized updates, inserts, or deletions on portions of the data, and cause partial denial of service against the OPERA 5 Property Services instance.

The referenced Oracle Critical Patch Update for April 2023 addresses the issue and supplies the official remediation guidance for affected Hospitality Applications deployments. The associated EPSS score has remained at 0.2437 with no material increase since disclosure.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: OXI). The supported version that is affected is 5.6. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle…

more

Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
hospitality opera 5 property services
5.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References