CVE-2024-21022 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-21022 affects Oracle Complex Maintenance, Repair, and Overhaul within the Oracle E-Business Suite ecosystem, specifically targeting the List of Values (LOV) component. This issue exists in versions 12.2.3 through 12.2.13, representing a significant security gap that impacts organizations utilizing this maintenance and repair management system. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in enterprise environments where such systems handle critical operational data.

The technical flaw manifests through an insufficient authorization mechanism within the LOV component that allows unauthenticated network access via HTTP protocols. This weakness creates a pathway for attackers to compromise the system without needing valid credentials or prior access rights. The vulnerability requires human interaction from users other than the attacker, suggesting that social engineering or targeted user engagement might be necessary to initiate the attack vector. However, once initiated, the attack can successfully compromise the targeted system and potentially extend its impact to related products within the Oracle E-Business Suite ecosystem, demonstrating the scope change characteristic that makes this vulnerability particularly concerning for enterprise security architects.

From an operational impact perspective, successful exploitation of this vulnerability enables attackers to perform unauthorized modifications to critical maintenance data including updates, inserts, and deletes of sensitive information. Additionally, attackers can gain unauthorized read access to specific subsets of data within the system, potentially exposing confidential maintenance records, repair histories, and operational details. The CVSS 3.1 base score of 6.1 reflects the moderate severity of this vulnerability, with confidentiality and integrity impacts rated as low, while the scope change aspect increases the overall risk potential. The attack vector requires network access via HTTP and has low complexity requirements, making it accessible to a broad range of threat actors.

Security professionals should consider implementing multiple mitigation strategies to address this vulnerability effectively. Network segmentation and access controls should be reinforced to limit unauthorized HTTP access to the affected components. Regular patch management processes must be prioritized to ensure timely deployment of Oracle's security updates. The vulnerability aligns with CWE-284 (Improper Access Control) and may correlate with ATT&CK techniques related to credential access and privilege escalation. Organizations should also conduct thorough security assessments of their Oracle E-Business Suite implementations to identify potential additional attack surfaces that might be similarly affected by similar authorization flaws. Monitoring network traffic for suspicious HTTP requests and implementing intrusion detection systems can help identify potential exploitation attempts before they result in data compromise.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00382

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!