CVE-2017-10299 in Agile PLM
Summary
by MITRE
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2017-10299 resides within Oracle Agile PLM component of the Oracle Supply Chain Products Suite, specifically within the Security subcomponent. This vulnerability affects Oracle Agile PLM versions 9.3.5 and 9.3.6, representing a significant security weakness that impacts organizations relying on this product for product lifecycle management. The flaw manifests as an easily exploitable vulnerability that requires minimal privileges to leverage, making it particularly dangerous in environments where security controls may be insufficient.
The technical nature of this vulnerability stems from insufficient access controls within the Oracle Agile PLM application, allowing attackers with low privilege levels to perform unauthorized data access operations. The vulnerability operates through HTTP network connections, meaning that an attacker can potentially exploit this weakness from remote locations without requiring physical access to the system. This remote exploit capability significantly increases the attack surface and potential impact of the vulnerability. The CVSS 3.0 scoring system rates this vulnerability with a base score of 4.3, indicating a moderate severity level that specifically targets confidentiality impacts.
The operational impact of CVE-2017-10299 is substantial for organizations utilizing Oracle Agile PLM, as successful exploitation can result in unauthorized read access to sensitive data within the system. This unauthorized data access could potentially expose proprietary product information, design specifications, engineering data, and other confidential business information that organizations rely on for competitive advantage. The vulnerability's classification as a low privilege attack vector means that even users with minimal system access rights could potentially exploit this weakness, creating additional risk for organizations where privilege escalation is not properly enforced. The affected data subset access capability suggests that while the complete system may not be compromised, significant portions of the product lifecycle management data could be accessed by unauthorized parties.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege. The vulnerability's characteristics also map to ATT&CK technique T1078 (Valid Accounts) and T1046 (Network Service Scanning) as attackers may leverage legitimate accounts to exploit the weakness and then potentially scan for additional vulnerabilities. Organizations should implement immediate mitigations including applying the relevant Oracle security patches, implementing network segmentation to limit access to the affected system, and conducting thorough access control reviews. The vulnerability demonstrates the importance of maintaining up-to-date security patches and the critical need for proper network monitoring to detect unauthorized access attempts. Additionally, organizations should consider implementing additional security controls such as web application firewalls and enhanced logging mechanisms to detect and prevent exploitation attempts.