CVE-2024-20941 in Installed Baseinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: HTML UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/18/2025

The vulnerability identified as CVE-2024-20941 affects Oracle E-Business Suite's Installed Base component, specifically within the HTML User Interface layer. This represents a significant security weakness in Oracle's enterprise resource planning suite that has affected versions ranging from 12.2.3 through 12.2.13. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical sophistication, making it particularly dangerous in production environments where such systems often handle sensitive business data. The attack vector requires only network access via HTTP, eliminating the need for complex network penetration techniques or privileged access within the organization's infrastructure.

The technical flaw manifests as an authentication bypass vulnerability that allows unauthenticated attackers to compromise the Oracle Installed Base system. This weakness stems from insufficient access controls within the HTML UI component, enabling malicious actors to perform unauthorized operations against the database backend. The vulnerability's scope extends beyond the immediate Installed Base component, as indicated by the scope change aspect of the attack vector. This means that successful exploitation can potentially impact additional Oracle products within the same suite, creating a cascading effect that multiplies the potential damage. The CVSS 3.1 base score of 6.1 reflects the moderate severity of the vulnerability, with particular emphasis on confidentiality and integrity impacts.

The operational impact of this vulnerability is substantial, as it enables attackers to perform unauthorized data manipulation operations including updates, inserts, and deletes on sensitive Oracle Installed Base data. Additionally, the vulnerability allows unauthorized read access to subsets of data that should remain protected, potentially exposing confidential business information, customer data, or operational details. The requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing attacks may be necessary to initially gain access, but once the vulnerability is exploited, attackers can operate with significant privileges. This creates a scenario where the vulnerability can be weaponized through targeted attacks that combine traditional social engineering with the technical exploitation of the security flaw.

The vulnerability aligns with CWE-287, which addresses authentication flaws in software systems, and follows patterns commonly associated with the ATT&CK framework's privilege escalation and credential access techniques. Organizations should implement immediate mitigations including applying Oracle's security patches, implementing network segmentation to restrict access to the affected components, and monitoring network traffic for suspicious HTTP requests. Additional defensive measures should include disabling unnecessary HTTP interfaces, implementing web application firewalls, and conducting comprehensive security audits of the Oracle E-Business Suite environment. The scope change aspect of this vulnerability underscores the importance of holistic security assessments that consider how vulnerabilities in one component can affect the broader enterprise ecosystem, making layered defense strategies essential for protecting against such cascading security incidents.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00361

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!