CVE-2022-21503 Vulnerability in Oracle Cloud Infrastructure product allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure.

CVE-2022-21585 is also known as Cloud Control ‐ Cloud Control is an application that provides organizations with a centralized view of their cloud resources. It provides a single sign-on experience across clouds, APIs, and services. It also allows users to view usage, costs, and performance data across their cloud infrastructure. Cloud Control is an easily exploitable vulnerability. High privileged attacker with network access can exploit it. End users can be compromised via command injection. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Summary

The Cloud Control application is an easily exploitable vulnerability. High privileged attacker with network access can exploit it. End users can be compromised via command injection.

Vulnerability overview

CVE-2022-21503 is a Cloud Control vulnerability, found in the “/status” endpoint. This endpoint allows an attacker to retrieve information about other users in the system. This can be done by sending a specially crafted request that doesn't contain any authentication information.
The vulnerability exists because of insecure use of the “csrf_token” parameter on this endpoint. It should be set to false, but it's not and allows for command injection in an attack vector that is also reflected on CVSS 3.1 score.

Technical Details

CVE-2022-21503: This vulnerability is in Cloud Control ‐ Cloud Control is an application that provides organizations with a centralized view of their cloud resources. It provides a single sign-on experience across clouds, APIs, and services. It also allows users to view usage, costs, and performance data across their cloud infrastructure. Cloud Control is an easily exploitable vulnerability. High privileged attacker with network access can exploit it. End users can be compromised via command injection. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts).
CVE-2022-21585: This vulnerability is in the application's content management functionality which allows attackers to perform arbitrary actions on behalf of users by injecting commands into the form processing page through CSRF attack vectors or XSS vulnerabilities when specific content types are targeted by the application which would result in privilege escalation. CVSS 3.1 Base Score 9 (Complete confidentiality impact). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Timeline

Published on: 06/17/2022 21:15:00 UTC
Last modified on: 06/28/2022 15:59:00 UTC

References