CVE-2017-10368 in PeopleSoft Enterprise SCM eProcurement
Summary
by MITRE
Vulnerability in the PeopleSoft Enterprise SCM eProcurement component of Oracle PeopleSoft Products (subcomponent: Manage Requisition Status). Supported versions that are affected are 9.1.00 and 9.2.00. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM eProcurement. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise SCM eProcurement, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM eProcurement accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM eProcurement accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/19/2021
The vulnerability identified as CVE-2017-10368 resides within Oracle PeopleSoft Enterprise SCM eProcurement component, specifically in the Manage Requisition Status subcomponent. This flaw affects Oracle PeopleSoft Products versions 9.1.00 and 9.2.00, representing a significant security weakness that impacts enterprise procurement systems. The vulnerability operates at the application layer and demonstrates characteristics consistent with CWE-284, which addresses improper access control mechanisms. The flaw allows unauthenticated attackers to exploit network-based HTTP access points to compromise the targeted eProcurement system.
The technical implementation of this vulnerability stems from insufficient authentication and authorization controls within the Manage Requisition Status functionality. Attackers can leverage this weakness without requiring prior credentials or privileged access, making the exploit particularly dangerous in enterprise environments where PeopleSoft systems handle sensitive procurement data. The vulnerability's CVSS score of 6.1 reflects its moderate severity, with confidentiality and integrity impacts rated as low but still significant. The attack vector requires network access via HTTP and only needs human interaction from users other than the attacker, indicating that social engineering or user manipulation may be required to complete the exploitation process. This characteristic aligns with ATT&CK technique T1203, which involves user interaction to execute malicious code.
The operational impact of this vulnerability extends beyond the immediate eProcurement system, potentially affecting additional Oracle products within the enterprise environment. Successful exploitation can result in unauthorized modification of procurement data through update, insert, or delete operations, while also enabling unauthorized read access to sensitive procurement information. The compromised data scope includes a subset of PeopleSoft Enterprise SCM eProcurement accessible data, which typically encompasses purchase requisitions, vendor information, and procurement workflows. This vulnerability represents a critical threat to supply chain integrity and financial controls, as procurement systems often contain sensitive business information and transactional data that could be leveraged for financial fraud or competitive intelligence gathering.
Organizations should implement immediate mitigations including network segmentation to restrict HTTP access to PeopleSoft components, deployment of web application firewalls to monitor and filter malicious requests, and enforcement of strong authentication mechanisms for all administrative functions. The vulnerability's classification as easily exploitable means that organizations should prioritize patch management and consider implementing additional monitoring controls to detect unauthorized access attempts. Security teams should also conduct comprehensive vulnerability assessments to identify similar weaknesses in other PeopleSoft components and related systems. The impact on system availability remains low as indicated by the CVSS vector, but the confidentiality and integrity implications necessitate immediate attention through proper access control enforcement and regular security audits of procurement processes.