CVE-2017-10052 in Agile PLM
Summary
by MITRE
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: PCMServlet). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2017-10052 resides within the Oracle Agile PLM component of Oracle Supply Chain Products Suite, specifically within the PCMServlet subcomponent. This flaw affects versions 9.3.5 and 9.3.6 of the software, representing a significant security weakness that could be exploited by unauthenticated attackers. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or extensive resources, making it particularly dangerous in production environments where such systems are often accessible over networks.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the PCMServlet component, which processes HTTP requests without requiring proper authorization. This allows malicious actors to craft specific HTTP requests that can manipulate the underlying system. The vulnerability's CVSS 3.0 base score of 6.1 reflects a moderate severity level, with particular emphasis on confidentiality and integrity impacts. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack requires network access with low complexity, no prior privileges, but necessitates human interaction from users other than the attacker, suggesting that the exploitation may require some form of social engineering or user engagement.
The operational impact of this vulnerability extends beyond the immediate compromise of Oracle Agile PLM data. The attack can result in unauthorized update, insert, or delete operations against sensitive data within the system, potentially leading to data corruption or manipulation that could severely disrupt supply chain operations. Additionally, unauthorized read access to subset data within Oracle Agile PLM could expose proprietary information, product designs, or business-critical data that could be valuable to competitors or malicious actors. The fact that this vulnerability can significantly impact additional products indicates that the compromise may extend beyond the primary system to adjacent components or integrated systems within the supply chain ecosystem.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to limit access to the affected system, deployment of web application firewalls to monitor and filter HTTP requests, and application-level controls to validate all incoming requests. The implementation of strong authentication mechanisms and access controls should be prioritized, along with regular security assessments to identify potential exploitation vectors. According to CWE standards, this vulnerability aligns with CWE-287 which addresses improper authentication issues, while the ATT&CK framework would categorize this under privilege escalation and credential access techniques. Regular patch management and vulnerability scanning should be implemented to prevent similar issues from arising in the future, as this vulnerability demonstrates the critical importance of maintaining up-to-date security controls in enterprise supply chain management systems.