HomePentest-Tools.com Logo

Oracle E-Business Suite - Remote Code Execution (CVE-2022-21587)

Severity
CVSSv3 Score
9.8
Vulnerability description

Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite is affected by a Remote Code Execution vulnerability. The root cause of this vulnerability is a special case treated by doUploadFile method which allows uploading a file using UUE encoding. The attacker can upload a malicious Perl web shell in order to achieve access to the server.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Apply the security patch for the Oracle Web Applications Desktop Integrator.

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Oct 2022
Published at
Updated at
Software Type
Web server
Vendor
Oracle
Product
EBS