CVE-2024-20958 in Installed Baseinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/20/2025

The vulnerability identified as CVE-2024-20958 resides within Oracle E-Business Suite's Installed Base product, specifically within the Engineering Change Order component. This security flaw affects Oracle E-Business Suite versions 12.2.3 through 12.2.13, representing a significant exposure across a substantial portion of the product's supported release lifecycle. The vulnerability's classification as easily exploitable indicates that attackers can leverage relatively straightforward techniques to compromise the system, making it particularly concerning for organizations running these legacy versions.

The technical nature of this vulnerability manifests through an insufficient authorization mechanism that allows low privileged attackers to perform unauthorized operations against the Installed Base component. The attack vector requires network access via HTTP, which means that the vulnerability can be exploited remotely without requiring physical access to the system. The CVSS 3.1 base score of 5.4 reflects a moderate severity level, though the impact is significant enough to warrant immediate attention. The score breaks down into confidentiality and integrity impacts, with a low impact on availability, indicating that the primary concerns are data manipulation and unauthorized access rather than system disruption.

The operational impact of this vulnerability extends beyond the immediate Installed Base component, as evidenced by the scope change aspect of the attack. Successful exploitation can result in unauthorized update, insert, or delete operations against sensitive data within the Installed Base, potentially corrupting critical engineering records and configuration data. Additionally, attackers can gain unauthorized read access to subsets of data that should remain protected, potentially exposing proprietary information, customer data, or system configuration details. The requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing campaigns may be necessary to initiate the attack, though this does not significantly reduce the overall risk level.

Organizations affected by this vulnerability should consider several mitigation strategies to reduce exposure. The most critical approach involves applying the relevant Oracle security patches as soon as they become available, which would address the underlying authorization flaw. Network segmentation and access controls should be implemented to limit access to the affected components, particularly restricting HTTP access to authorized personnel only. Monitoring for suspicious HTTP traffic patterns and implementing intrusion detection systems can help identify potential exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and may map to ATT&CK techniques involving privilege escalation and credential access, making it a significant concern for organizations following established cybersecurity frameworks. Regular security assessments and vulnerability scanning should be conducted to ensure that similar issues are not present in other components of the Oracle E-Business Suite ecosystem.

The scope change aspect of this vulnerability highlights the interconnected nature of enterprise applications, where compromising one component can potentially affect multiple systems within the organization's infrastructure. This characteristic makes the vulnerability particularly dangerous as it can serve as a stepping stone for more extensive attacks. Organizations should also consider implementing comprehensive data backup and recovery procedures, as the potential for data modification or deletion requires robust recovery mechanisms. The vulnerability's impact on both confidentiality and integrity demonstrates the need for layered security approaches that address multiple attack vectors simultaneously. Regular security awareness training for personnel who interact with the affected systems can help prevent successful exploitation through social engineering techniques that might be required to initiate the attack.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00340

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!