CVE-2020-2747 in Access Managerinfo

Summary

by MITRE

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: SSO Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/07/2025

The vulnerability described in CVE-2020-2747 represents a critical security flaw within Oracle Access Manager's Single Sign-On (SSO) engine component, specifically affecting versions 11.1.2.3.0 and 12.2.1.3.0 of the Fusion Middleware suite. This vulnerability operates at the application layer and demonstrates characteristics consistent with a privilege escalation issue that can be exploited through network-based HTTP communications. The attack vector requires minimal technical sophistication, making it particularly dangerous as it can be leveraged by low-privileged attackers who possess network access to the target system. The vulnerability's classification as easily exploitable indicates that the attack mechanics are straightforward and do not require extensive specialized knowledge or resources to implement successfully.

The technical flaw manifests within the SSO engine's authentication and authorization mechanisms, where insufficient input validation and access control checks allow malicious actors to manipulate session management processes. The vulnerability's impact extends beyond the immediate Oracle Access Manager component, creating cascading effects that can compromise additional Oracle products within the same ecosystem. This cross-component vulnerability demonstrates the interconnected nature of enterprise security systems and highlights how a single flaw can create widespread compromise potential. The CVSS 3.0 score of 5.4 reflects the moderate severity level, with particular emphasis on confidentiality and integrity impacts that align with the vulnerability's ability to enable unauthorized data manipulation and access.

The operational implications of this vulnerability are significant for organizations relying on Oracle Access Manager for identity and access management services. Successful exploitation can result in unauthorized modification of critical user data, including the ability to insert, update, or delete sensitive information within the affected system. Additionally, attackers can gain unauthorized read access to a subset of accessible data, potentially exposing confidential information that should remain protected. The requirement for human interaction from a person other than the attacker suggests that the vulnerability may be exploited through social engineering or user deception techniques, where victims might unknowingly perform actions that facilitate the attack. This aspect increases the practical exploitability of the vulnerability in real-world scenarios.

Organizations should implement immediate mitigations including applying the relevant Oracle Critical Patch Updates and ensuring proper network segmentation to limit access to Oracle Access Manager components. The vulnerability's classification under CWE 284 (Improper Access Control) and its alignment with ATT&CK technique T1078 (Valid Accounts) indicates that defense-in-depth strategies should include robust monitoring of authentication activities and implementation of least privilege principles. Regular security assessments and penetration testing should focus on identifying similar access control weaknesses within the Oracle Fusion Middleware environment. The vulnerability also underscores the importance of maintaining current patch management processes and establishing clear procedures for vulnerability remediation in enterprise identity management systems.

Responsible

Oracle

Reservation

12/10/2019

Moderation

accepted

CPE

ready

EPSS

0.00712

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!