CVE-2022-21458 in PeopleSoft Enterprise PeopleTools
Summary
by MITRE • 04/20/2022
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Navigation Pages, Portal, Query). Supported versions that are affected are 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/26/2022
The CVE-2022-21458 vulnerability represents a critical security flaw within Oracle PeopleSoft Enterprise PeopleTools affecting versions 8.58 and 8.59. This vulnerability resides in the Navigation Pages, Portal, and Query components of the PeopleTools suite, which are fundamental elements for enterprise application navigation and data access within Oracle's PeopleSoft platform. The flaw manifests as an authentication bypass opportunity that allows unauthenticated attackers to gain access to sensitive system resources through standard HTTP network connections. This vulnerability falls under the Common Weakness Enumeration category CWE-287, which deals with improper authentication mechanisms, and specifically aligns with ATT&CK technique T1078.004 related to valid accounts and credential access through web application vulnerabilities.
The technical exploitation of this vulnerability requires minimal attacker effort due to its easily exploitable nature and low access complexity requirements. The CVSS 3.1 score of 6.1 reflects the moderate severity impact, with confidentiality and integrity affected at a low level. However, the scope change aspect of this vulnerability presents significant operational concerns as it can impact additional products beyond the primary PeopleTools component. The vulnerability enables unauthorized modification capabilities including update, insert, and delete operations against specific PeopleTools accessible data, while also providing unauthorized read access to subsets of accessible data. This dual impact on both data integrity and confidentiality creates substantial risk for organizations relying on PeopleSoft for business-critical applications.
The requirement for human interaction from a person other than the attacker indicates that the vulnerability may be triggered through social engineering or user-specific actions, potentially involving targeted phishing campaigns or legitimate user behavior that inadvertently enables exploitation. This characteristic places additional burden on organizational security practices as it requires monitoring of user activities and awareness training programs to prevent accidental exploitation. Organizations utilizing PeopleSoft Enterprise PeopleTools in version 8.58 or 8.59 should immediately implement mitigation strategies including network segmentation, enhanced monitoring of HTTP traffic, and application-level controls to restrict access to vulnerable components. The scope change aspect suggests that this vulnerability may affect interconnected systems within the PeopleSoft ecosystem, potentially extending impact beyond the immediate PeopleTools environment to related Oracle applications and databases. Security teams should conduct comprehensive vulnerability assessments across their entire PeopleSoft deployment to identify and remediate similar issues that may exist in other components of the platform.