CVE-2020-14745 in REST Data Servicesinfo

Summary

by MITRE • 10/21/2020

Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/22/2020

The vulnerability identified as CVE-2020-14745 affects Oracle REST Data Services, a component within Oracle's broader database ecosystem designed to provide RESTful web services for database access. This vulnerability resides in the General component of ORDS and impacts multiple supported versions including 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c, with standalone ORDS versions prior to 20.2.1 also being susceptible. The vulnerability classification as easily exploitable indicates that attackers can leverage this weakness without requiring specialized skills or extensive resources, making it particularly concerning for organizations operating these systems.

The technical flaw manifests as a security weakness that allows low-privileged attackers to gain unauthorized access to specific data within Oracle REST Data Services through HTTP network connections. This represents a significant confidentiality impact as the vulnerability enables attackers to read sensitive information that should normally be restricted. The Common Weakness Enumeration classification for this type of vulnerability would typically fall under CWE-284: Improper Access Control, which encompasses weaknesses where applications fail to properly enforce access restrictions. The CVSS 3.1 scoring system assigns this vulnerability a base score of 4.3, reflecting the moderate severity level with low access complexity and the ability to compromise data confidentiality without requiring user interaction or system compromise.

From an operational standpoint, this vulnerability poses substantial risk to organizations relying on Oracle REST Data Services for database integration and web service functionality. The attack vector through HTTP network access means that even remote attackers can potentially exploit this weakness, particularly in environments where ORDS is exposed to untrusted networks or where proper network segmentation has not been implemented. Successful exploitation could result in unauthorized data access that might include sensitive database information, user credentials, or business-critical data that organizations rely on for their operations. The impact is specifically focused on confidentiality as indicated by the CVSS vector, meaning that while data can be read, there is no evidence of modification or disruption capabilities within this particular vulnerability.

Organizations should implement immediate mitigations to address this vulnerability, beginning with upgrading to supported versions of Oracle REST Data Services, particularly those released after 20.2.1. Network-level protections including firewalls, intrusion detection systems, and proper access controls should be implemented to restrict access to ORDS endpoints. The principle of least privilege should be enforced by ensuring that ORDS applications run with minimal required permissions and that access to sensitive data is properly restricted. Additionally, organizations should conduct thorough network audits to identify all instances of affected ORDS versions and implement monitoring to detect potential exploitation attempts. The ATT&CK framework would classify this vulnerability under techniques related to credential access and data extraction, making it important for security teams to monitor for unusual data access patterns and unauthorized network connections to ORDS endpoints. Regular security assessments and vulnerability scanning should be performed to identify and remediate similar access control weaknesses throughout the Oracle ecosystem.

Responsible

Oracle

Reservation

06/19/2020

Disclosure

10/21/2020

Moderation

accepted

CPE

ready

EPSS

0.00948

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!