While this vulnerability does not allow unauthenticated attackers to execute code or full remote takeover of Enterprise Manager Base Platform, it can be used to obtain unauthorized access, unauthorized deletion or alteration of critical data or to cause disruption by flooding Enterprise Manager Base Platform with invalid requests. Enterprise Manager Base Platform is accessible via HTTP protocol and any network device can be used by attackers. Workaround: Apply the update to Enterprise Manager Base Platform as soon as possible. If a new version of Enterprise Manager Base Platform is already applied, then it must be uninstalled and then installed again. For supported versions of Enterprise Manager, a new version that fixes this vulnerability must be installed as soon as possible. End users do not usually have to apply updates directly. For Enterprise Manager, administrators have to install updates through the Management Agent.

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Fulfillment Services). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform via unspecified vectors. Note: This vulnerability can be exploited through Management Agents and Workflow Engines. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:

Operation Scenarios

An attacker can use this vulnerability to obtain unauthorized access, unauthorized deletion or alteration of critical data or to cause disruption by flooding Enterprise Manager Base Platform with invalid requests.
The vulnerability could be exploited through Management Agents and Workflow Engines. Attackers can only execute the vulnerability on Enterprise Manager Base Platforms that are accessible via HTTP protocol and they can use any network device to attack these devices.

Vulnerability in the Oracle Enterprise Manager (EM) Cloud Service product of Oracle Enterprise nowik .

While this vulnerability does not allow unauthenticated attackers to execute code or full remote takeover of Enterprise Manager Cloud Service, it can be used to obtain unauthorized access, unauthorized deletion or alteration of critical data or to cause disruption by flooding Enterprise Manager Cloud Service with invalid requests.
End user devices are accessible via HTTP protocol and any network device can be used by attackers. Workaround: Apply the update to Enterprise Manager Cloud Service as soon as possible. If a new version of Enterprise Manager Cloud Service is already applied, then it must be uninstalled and then installed again. For supported versions of Enterprise Manager, a new version that fixes this vulnerability must be installed as soon as possible. End users do not usually have to apply updates directly. For Enterprise Manager, administrators have to install updates through the Management Agent.

Vulnerability in the Oracle Enterprise Manager Cloud Service product of Oracle Enterprise nowik. Supported versions that are affected are 13.4.0.0 and 13.5.0.0 (This vulnerability will not stand on earlier versions). Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform via unspecified vectors. Note: This vulnerability can be exploited through Management Agents and Workflow Engines. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3) (AV:N/AC:L/PR:L/UI:N/S:U/C:L

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (F ulfillment Services)

While this vulnerability does not allow unauthenticated attackers to execute code or full remote takeover of Enterprise Manager Base Platform, it can be used to obtain unauthorized access, unauthorized deletion or alteration of critical data or to cause disruption by flooding Enterprise Manager Base Platform with invalid requests. Enterprise Manager Base Platform is accessible via HTTP protocol and any network device can be used by attackers. Workaround: Apply the update to Enterprise Manager Base Platform as soon as possible. If a new version of Enterprise Manager Base Platform is already applied, then it must be uninstalled and then installed again. For supported versions of Enterprise Manager, a new version that fixes this vulnerability must be installed as soon as possible. End users do not usually have to apply updates directly. For Oracle Enterprise Manager, administrators have to install updates through the Management Agent.

CVE-2022-21623
Unauthenticated attackers can exploit this vulnerability in Oracle Enterprise Manager Fulfillment Services through HTTP protocol in order to exploit other vulnerabilities such as SQL injection or unauthorized data deletion or modification and cause disruptions in operations on the affected system. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:

^

^ Affected versions
* 12.2.3.1 and 12.2.3.2
* 12.2.3.3
* 13.4.0.0
* 13.5.0.0
^ Affected versions

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References