CVE-2017-10080 in Agile PLM
Summary
by MITRE
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2017-10080 resides within Oracle Agile PLM component of the Oracle Supply Chain Products Suite, specifically within the Security subcomponent. This weakness affects versions 9.3.5 and 9.3.6 of the software, representing a significant security flaw that undermines the integrity and confidentiality of product lifecycle management systems. The vulnerability's classification as easily exploitable indicates that attackers can leverage network-based HTTP access to compromise the system without requiring authentication credentials, making it particularly dangerous for organizations relying on these platforms for critical product data management.
The technical nature of this vulnerability stems from inadequate input validation and access control mechanisms within the Oracle Agile PLM framework. Attackers can exploit this flaw through unauthenticated HTTP connections, bypassing traditional authentication barriers that should protect sensitive product data. The vulnerability's CVSS 3.0 score of 6.1 reflects moderate severity with confidentiality and integrity impacts rated as low, though the potential for unauthorized data manipulation through update, insert, or delete operations presents substantial risks to business continuity and intellectual property protection. The attack vector requires network access from external sources, while the attack complexity is classified as low, meaning that skilled adversaries can execute successful exploitation with minimal technical barriers.
The operational impact of this vulnerability extends beyond the immediate Oracle Agile PLM environment, as the security compromise can potentially affect additional products within the Oracle Supply Chain Products Suite ecosystem. This cascading effect demonstrates the interconnected nature of enterprise software platforms where a single vulnerability in one component can create ripple effects across multiple systems. Successful exploitation enables attackers to gain unauthorized access to sensitive product information, including the ability to modify or delete critical data elements that govern product development, manufacturing, and supply chain processes. The requirement for human interaction suggests that while the initial exploitation may be automated, successful compromise often requires some form of user engagement or specific conditions that must be met for the full attack to succeed.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to restrict access to the Oracle Agile PLM systems, deployment of web application firewalls to monitor and filter HTTP traffic, and application of Oracle's security patches as soon as they become available. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization controls that allow unauthorized data access and modification. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and data manipulation, potentially enabling adversaries to conduct reconnaissance activities and establish persistent access to product development information. The security implications extend to compliance requirements and industry standards such as ISO 27001 and NIST cybersecurity frameworks, where maintaining data integrity and confidentiality is paramount for protecting intellectual property and maintaining competitive advantages in supply chain operations.