Cyber Resilience

CVE-2024-21287

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 November 2024

Published
18 November 2024
Modified
27 October 2025
KEV Added
21 November 2024
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.6983 98.7th percentile
Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21287 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2024-21287 is an improper authorization vulnerability, tracked under CWE-863, that affects the Software Development Kit and Process Extension components of Oracle Agile PLM Framework version 9.3.6 within Oracle Supply Chain. The flaw resides in the product's handling of network requests and permits unauthorized exposure of sensitive information without requiring authentication or user interaction.

An unauthenticated attacker with network access over HTTP can exploit the issue due to its low attack complexity. Successful exploitation grants the attacker unauthorized access to critical data or complete access to all data accessible through the Oracle Agile PLM Framework, resulting in a confidentiality impact rated at CVSS 7.5.

The Oracle security advisory at the referenced URL addresses remediation steps for the affected release, while CISA includes the CVE in its Known Exploited Vulnerabilities catalog, indicating that mitigation through patching should be prioritized by organizations running the product.

The EPSS score has reached 0.6983 with no subsequent increase reported after disclosure.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…

more

Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)
KEV Date Added
21 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
agile product lifecycle management
9.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before granting access to Oracle Agile PLM Framework data, blocking the unauthenticated HTTP requests that exploit the missing authorization flaw.

prevent

Requires identification and authentication of non-organizational users before allowing network access to the PLM Framework, eliminating the unauthenticated attack vector described in the CVE.

AC-17 Remote Access partial match
prevent

Restricts and authorizes remote HTTP access to the Agile PLM Framework, preventing the unauthenticated network-based data disclosure without proper remote-access controls.

References