A vulnerability has been found in Oracle Knowledge 8.5.x (Knowledge Base Software) and classified as problematic. This vulnerability affects an unknown functionality of the component Information Manager Console. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:

Unspecified vulnerability in the Oracle Knowledge component in Oracle Siebel CRM 8.5.x allows remote authenticated users to affect confidentiality via vectors related to Information Manager Console.

The weakness was released 07/19/2016 with Oracle as Oracle Critical Patch Update Advisory - July 2016 as confirmed advisory (Website). The advisory is available at oracle.com. This vulnerability was named CVE-2016-3475 since 03/17/2016. The exploitation appears to be easy. The attack can be initiated remotely. The successful exploitation needs a single authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 91787†). Entries connected to this vulnerability are available at VDB-76354, VDB-78584, VDB-78603 and VDB-78601. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Knowledge Base Software

Vendor

• Oracle

Name

• Knowledge

Version

• 8.5.x

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion