CVE-2022-21445 Oracle JDeveloper is vulnerable to CVE-2016-2115. Both versions 12.2.1.3.0 and 12.2.1.4.0 are affected.

CVE-2022-21445 Oracle JDeveloper is vulnerable to CVE-2016-2115. Both versions 12.2.1.3.0 and 12.2.1.4.0 are affected.

In addition, it is possible to conduct SQL injection attacks. It is also possible to bypass access restriction mechanisms (e.g., try anonymous connections). If user credentials are not necessary for exploiting this vulnerability, then this can be exploited by administrators. Exploitation of this vulnerability results in unauthorized access to Oracle JDeveloper. Mitigation For Oracle JDeveloper users, it is recommended to update to the latest version. For administrators, it is recommended to review Oracle JDeveloper configuration and access control settings. Vulnerable versions The following versions are vulnerable to this issue: 12.2.1.3.0 12.2.1.4.0 12.2.1.4.0 12.2.1.5.0 12.2.1.5.0 12.2.1.5.1 12.2.1.6.0 12.2.1.6.0 12.2.1.6.1 12.2.1.6.1 12.2.1.6.2 12.2.1.7.0 12.2.1.7.0 12.2.1.7.1 12.2.1.7.1 12.2.1.7.2 12.2.1.7.2 12.2.1.7.3 12.2.1.7.3 12.2.1.7.4 12.2.1.7.4

How to determine which version of Oracle JDeveloper is installed?

To determine which version of Oracle JDeveloper is installed, log in to the JDeveloper console and go to Tools > Java Control Panel.

Vulnerability details

So, what does this vulnerability entail? Users must have "viewdata" permission for a database that uses the Oracle JDeveloper SQL interface. The only way to exploit this vulnerability is if your user account has write access permissions for the database.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe