CVE-2024-20953
Published: 17 February 2024
Summary
CVE-2024-20953 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-20953 is a vulnerability in the Export component of Oracle Agile PLM version 9.3.6 within Oracle Supply Chain. It carries a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and is associated with CWE-502. The flaw permits remote compromise of the affected product.
A low-privileged attacker with network access over HTTP can exploit the issue without user interaction to achieve full takeover of Oracle Agile PLM, impacting confidentiality, integrity, and availability.
Oracle's January 2024 Critical Patch Update addresses the vulnerability, and the issue appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score reached a peak of 0.7032 with a current value of 0.6791.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18667
Vulnerability details
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks…
more
of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 24 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks deserialization of untrusted data over HTTP before the Export component processes attacker-supplied input.
Requires prompt application of the January 2024 CPU patch that eliminates the deserialization flaw in Agile PLM 9.3.6.
Enables integrity verification of the PLM application binaries and libraries to detect unauthorized modification or exploitation artifacts.