Oracle Communications Session Report Manager 8.2.0/8.2.1/8.2.2 deserialization

entryeditHistoryDiffjsonxmlCTI

A vulnerability, which was classified as critical, has been found in Oracle Communications Session Report Manager 8.2.0/8.2.1/8.2.2 (Cloud Software). Affected by this issue is some unknown functionality. Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Field11/21/2020 07:34 AM11/22/2020 05:14 PM11/22/2020 05:18 PM
vendorOracleOracleOracle
nameCommunications Session Report ManagerCommunications Session Report ManagerCommunications Session Report Manager
cveCVE-2020-9484CVE-2020-9484CVE-2020-9484
risk222
cvss3_vuldb_avLLL
cvss3_vuldb_acHHH
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
version8.2.0/8.2.1/8.2.28.2.0/8.2.1/8.2.28.2.0/8.2.1/8.2.2
urlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.html
date160314480016031448001603144800
identifierOracle Critical Patch Update Advisory - October 2020Oracle Critical Patch Update Advisory - October 2020Oracle Critical Patch Update Advisory - October 2020
nameUpgradeUpgradeUpgrade
date160314480016031448001603144800
typeCloud SoftwareCloud SoftwareCloud Software
cvss2_vuldb_avLLL
cvss2_vuldb_acHHH
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore6.06.06.0
cvss2_vuldb_tempscore5.25.25.2
cvss3_vuldb_basescore7.07.07.0
cvss3_vuldb_tempscore6.76.76.7
cvss3_meta_basescore7.07.07.0
cvss3_meta_tempscore6.76.76.7
price_0day$5k-$25k$5k-$25k$5k-$25k
cvss2_nvd_basescore4.44.44.4
cvss3_nvd_basescore7.07.07.0
cve_assigned15830172001583017200
cve_nvd_summaryWhen using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
confirm_urlhttps://kc.mcafee.com/corporate/index?page=content&id=SB10332https://kc.mcafee.com/corporate/index?page=content&id=SB10332
cwe502
cvss3_nvd_avL
cvss3_nvd_acH
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avL
cvss2_nvd_acM
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!