CVE-2021-35553 in PeopleSoft Enterprise CS Student Recordsinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Class Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Records. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise CS Student Records, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise CS Student Records accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise CS Student Records accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/26/2021

The vulnerability identified as CVE-2021-35553 affects Oracle PeopleSoft Enterprise CS Student Records version 9.2 within the Class Search component, representing a significant security weakness that demonstrates the ongoing challenges in enterprise application security. This vulnerability falls under the Common Weakness Enumeration category CWE-284 which specifically addresses improper access control, making it a critical concern for organizations relying on PeopleSoft for student record management. The flaw exists in the authentication and authorization mechanisms of the Class Search functionality, creating a pathway for malicious actors to gain unauthorized access to sensitive educational data.

The technical exploitation of this vulnerability requires an attacker to possess low privileged network access through HTTP protocols, indicating that the security controls are insufficient to prevent unauthorized access attempts. The CVSS 3.1 scoring of 5.4 reflects the moderate severity of this flaw, with confidentiality and integrity impacts rated as low, though the vector analysis reveals that the vulnerability is easily exploitable with low attack complexity and requires only local privileges. The requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing techniques may be necessary to initiate the attack, potentially through legitimate user credentials or session tokens. This human factor element significantly increases the real-world exploitability of the vulnerability.

The operational impact of this vulnerability extends beyond the immediate PeopleSoft Enterprise CS Student Records system, as successful exploitation can compromise additional products within the Oracle PeopleSoft ecosystem. Attackers who successfully exploit this vulnerability can achieve unauthorized update, insert, or delete operations on specific data sets within the student records system, while also gaining unauthorized read access to subsets of accessible data. This dual impact on both data integrity and confidentiality creates serious risks for academic institutions, potentially allowing manipulation of student grades, enrollment status, or personal information, with consequences that could extend to regulatory compliance violations and reputational damage.

Organizations should implement immediate mitigations including network segmentation to limit access to PeopleSoft applications, enforcing strict authentication controls, and monitoring for anomalous access patterns in the Class Search component. The vulnerability also highlights the importance of regular security assessments and patch management processes, as outlined in the ATT&CK framework's privilege escalation techniques. System administrators should consider implementing additional logging and audit controls specifically for the Class Search functionality, while also ensuring that user access is strictly controlled through proper role-based access controls. The affected version 9.2 should be prioritized for patching according to Oracle's security advisory, as this vulnerability represents a clear indication of inadequate access control mechanisms that could be exploited by threat actors seeking to compromise sensitive educational data.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.00524

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!