CVE-2024-21287
Published: 18 November 2024
Summary
CVE-2024-21287 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
CVE-2024-21287 is an improper authorization vulnerability, tracked under CWE-863, that affects the Software Development Kit and Process Extension components of Oracle Agile PLM Framework version 9.3.6 within Oracle Supply Chain. The flaw resides in the product's handling of network requests and permits unauthorized exposure of sensitive information without requiring authentication or user interaction.
An unauthenticated attacker with network access over HTTP can exploit the issue due to its low attack complexity. Successful exploitation grants the attacker unauthorized access to critical data or complete access to all data accessible through the Oracle Agile PLM Framework, resulting in a confidentiality impact rated at CVSS 7.5.
The Oracle security advisory at the referenced URL addresses remediation steps for the affected release, while CISA includes the CVE in its Known Exploited Vulnerabilities catalog, indicating that mitigation through patching should be prioritized by organizations running the product.
The EPSS score has reached 0.6983 with no subsequent increase reported after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19000
Vulnerability details
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…
more
Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- CWE(s)
- KEV Date Added
- 21 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before granting access to Oracle Agile PLM Framework data, blocking the unauthenticated HTTP requests that exploit the missing authorization flaw.
Requires identification and authentication of non-organizational users before allowing network access to the PLM Framework, eliminating the unauthenticated attack vector described in the CVE.
Restricts and authorizes remote HTTP access to the Agile PLM Framework, preventing the unauthenticated network-based data disclosure without proper remote-access controls.