CVE-2023-21932
Published: 18 April 2023
Summary
CVE-2023-21932 is a high-severity an unspecified weakness vulnerability in Oracle Hospitality Opera 5 Property Services. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Vulnerability CVE-2023-21932 affects the OXI component of Oracle Hospitality OPERA 5 Property Services version 5.6 within Oracle Hospitality Applications. It is a difficult-to-exploit flaw that permits a high-privileged attacker with network access via HTTP to impact confidentiality, integrity, and availability, with a CVSS 3.1 base score of 7.2 reflecting high confidentiality impact alongside limited integrity and availability effects and a scope change that extends consequences to other products.
A successful attack by such an authenticated network attacker can yield unauthorized access to critical or all accessible data, permit unauthorized updates, inserts, or deletions on portions of the data, and cause partial denial of service against the OPERA 5 Property Services instance.
The referenced Oracle Critical Patch Update for April 2023 addresses the issue and supplies the official remediation guidance for affected Hospitality Applications deployments. The associated EPSS score has remained at 0.2437 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26097
Vulnerability details
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: OXI). The supported version that is affected is 5.6. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle…
more
Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.