CVE-2017-10093 in Agile PLM
Summary
by MITRE
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2017-10093 resides within Oracle Agile PLM component of Oracle Supply Chain Products Suite, specifically within the Security subcomponent. This weakness affects versions 9.3.5 and 9.3.6 of the software, representing a significant security gap that exposes organizations to potential data breaches. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where such systems handle sensitive business data.
The technical flaw manifests through insufficient authentication mechanisms within the HTTP protocol handling of Oracle Agile PLM. This allows unauthenticated attackers to establish network connections and potentially access restricted data within the system. The vulnerability's CVSS 3.0 score of 5.3 reflects its medium severity level, specifically targeting confidentiality impacts with a low attack complexity and no requirement for privileges or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) clearly demonstrates that network-based attacks can be executed with minimal effort, as attackers do not need to be authenticated or have any special privileges to exploit the flaw.
From an operational standpoint, successful exploitation of this vulnerability can lead to unauthorized read access to a subset of Oracle Agile PLM accessible data, potentially exposing sensitive product lifecycle management information, design specifications, and proprietary business data. Organizations utilizing these affected versions face significant risks including intellectual property theft, competitive disadvantage, and potential regulatory compliance violations. The impact extends beyond immediate data exposure to include potential business disruption and reputational damage that can result from such security incidents.
Security practitioners should implement immediate mitigations including applying Oracle's official patches and updates, implementing network segmentation to restrict access to the affected system, and deploying intrusion detection systems to monitor for suspicious network activity. Organizations should also consider implementing additional authentication layers and access controls to reduce the attack surface. This vulnerability aligns with CWE-287 which addresses improper authentication issues, and represents a significant concern for organizations following ATT&CK framework's initial access techniques where network-based exploitation is a primary attack vector. The vulnerability's characteristics make it particularly relevant to security controls focused on network access management and authentication mechanisms.