CVE-2024-20951 in Customer Interaction Historyinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the Oracle Customer Interaction History product of Oracle E-Business Suite (component: Outcome-Result). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Interaction History, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/20/2025

The vulnerability identified as CVE-2024-20951 resides within Oracle Customer Interaction History, a component of the Oracle E-Business Suite ecosystem specifically within the Outcome-Result module. This vulnerability affects a broad range of supported versions from 12.2.3 through 12.2.13, indicating a substantial attack surface across multiple releases of the enterprise suite. The vulnerability classification as easily exploitable suggests that attackers can leverage network-based HTTP access without requiring authentication credentials, presenting a significant risk to organizations utilizing these Oracle EBS versions. The CVSS 3.1 base score of 6.1 reflects moderate severity with particular emphasis on confidentiality and integrity impacts, while the scope change aspect indicates that successful exploitation could extend beyond the targeted component to affect additional products within the Oracle EBS environment.

The technical flaw manifests as a weakness in the authentication and authorization mechanisms governing access to the Customer Interaction History functionality. Attackers can exploit this vulnerability through unauthenticated HTTP network connections, requiring only basic network access to the affected Oracle EBS instances. The necessity for human interaction from individuals other than the attacker indicates that social engineering or user-specific actions may be required to facilitate the attack, though the core vulnerability remains accessible without traditional authentication. This requirement for human interaction reduces the automated exploitation potential but does not eliminate the threat entirely, as attackers can still manipulate user behavior through phishing or other social engineering tactics to achieve their objectives. The vulnerability's impact extends to unauthorized data modification capabilities including updates, inserts, and deletions of sensitive customer interaction records, alongside unauthorized read access to subsets of accessible data, potentially exposing confidential customer information and interaction history.

The operational impact of CVE-2024-20951 represents a significant concern for organizations maintaining customer interaction data within Oracle EBS environments, as the vulnerability can lead to data integrity compromise and unauthorized access to sensitive customer information. The scope change aspect of this vulnerability means that successful attacks could potentially affect additional Oracle EBS products beyond the immediate Customer Interaction History component, creating cascading security implications throughout the enterprise suite. Organizations may face regulatory compliance challenges if customer interaction data becomes compromised, particularly in industries subject to data protection regulations such as GDPR, HIPAA, or PCI DSS standards. The confidentiality and integrity impacts align with CWE-287 (Improper Authentication) and CWE-284 (Improper Access Control) classifications, while the attack vector through HTTP connections maps to ATT&CK technique T1190 (Exploit Public-Facing Application) and T1071.004 (Application Layer Protocol: DNS) for network-based exploitation.

Organizations should implement immediate mitigations including applying Oracle's security patches and updates as released for this vulnerability, restricting HTTP access to Oracle EBS components through network segmentation and firewall rules, and implementing additional authentication controls for sensitive modules. The vulnerability's CVSS vector indicates that organizations should prioritize this issue in their vulnerability management processes, particularly given the scope change potential that could affect multiple Oracle EBS products. Network monitoring should be enhanced to detect unusual HTTP access patterns to Oracle EBS components, and user access controls should be reviewed to ensure least privilege principles are maintained. The requirement for human interaction suggests that employee security awareness training should be reinforced to prevent social engineering attacks that could facilitate exploitation of this vulnerability. Organizations should also consider implementing database activity monitoring solutions to detect unauthorized data access or modification activities within Oracle Customer Interaction History and related modules.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00342

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!