CVE-2021-35541 in PeopleSoft Enterprise SCM
Summary
by MITRE • 10/20/2021
Vulnerability in the PeopleSoft Enterprise SCM product of Oracle PeopleSoft (component: Supplier Portal). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise SCM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/26/2021
The vulnerability identified as CVE-2021-35541 represents a significant security flaw within Oracle PeopleSoft Enterprise SCM product, specifically within the Supplier Portal component. This vulnerability affects version 9.2 of the software and demonstrates characteristics of a low-privilege attack vector that can be exploited through network access using HTTP protocols. The vulnerability classification as easily exploitable indicates that attackers with minimal technical expertise can leverage this weakness, making it particularly concerning for enterprise environments where PeopleSoft systems handle sensitive business data. The CVSS 3.1 scoring system assigns a base score of 5.4, reflecting moderate severity with impacts to both confidentiality and integrity aspects of the information security triad.
The technical nature of this vulnerability stems from insufficient access controls within the Supplier Portal component, allowing attackers with low privileges to potentially manipulate data through unauthorized update, insert, or delete operations. The attack requires human interaction from individuals other than the attacker, suggesting that social engineering or user manipulation may be necessary to initiate the exploit successfully. This characteristic places the vulnerability in the category of user-interaction dependent attacks, which can be particularly challenging to defend against as they often exploit human factors rather than purely technical weaknesses. The vulnerability's impact extends beyond the immediate PeopleSoft Enterprise SCM system, potentially affecting additional connected products within the enterprise environment.
From an operational standpoint, successful exploitation of this vulnerability can result in substantial data compromise across the PeopleSoft Enterprise SCM environment. The unauthorized read access to subset data and the ability to perform unauthorized modifications create risks for business continuity and data integrity. Organizations relying on PeopleSoft for supplier management and procurement processes face potential disruptions to their supply chain operations, as attackers could manipulate supplier information, alter procurement records, or access sensitive financial data. The CVSS vector analysis indicates network accessibility with low attack complexity and the requirement for user interaction, suggesting that organizations should consider both technical and human factors in their defensive strategies.
The vulnerability aligns with CWE-284, which addresses improper access control issues, and demonstrates characteristics consistent with ATT&CK technique T1078 for valid accounts and T1566 for social engineering. Organizations should implement comprehensive mitigation strategies including immediate patching of affected systems, enhanced monitoring of supplier portal activities, and user education programs to reduce the risk of successful exploitation. Network segmentation and access control measures should be strengthened to limit potential lateral movement within the environment. Additionally, regular security assessments should be conducted to identify similar vulnerabilities in other components of the PeopleSoft ecosystem and ensure overall system resilience against targeted attacks. The interconnected nature of enterprise applications means that compromise of one system component can potentially impact multiple business processes and data repositories across the organization.