CVE-2024-21024 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-21024 affects Oracle Complex Maintenance, Repair, and Overhaul component within the Oracle E-Business Suite ecosystem. This represents a significant security weakness that exists in versions 12.2.3 through 12.2.13 of the software suite. The vulnerability resides specifically within the LOV (List of Values) functionality, which is a critical component for data validation and user interface elements in maintenance operations. The affected system operates under the broader Oracle E-Business Suite framework, which serves as a comprehensive enterprise resource planning solution for organizations managing complex maintenance workflows.

The technical flaw manifests as an easily exploitable vulnerability that permits unauthenticated network access via HTTP protocols. This means that malicious actors can potentially access the system without requiring valid credentials or authentication mechanisms, representing a severe breach of the principle of least privilege. The vulnerability requires human interaction from users other than the attacker, indicating that while the initial exploitation might be automated, user engagement or specific system conditions are necessary to complete the attack vector. This characteristic places the vulnerability in the category of user-interaction dependent attacks, which can be particularly dangerous in enterprise environments where user behavior may be unpredictable.

The operational impact of this vulnerability extends beyond the immediate scope of the Complex Maintenance, Repair, and Overhaul component, creating what is termed a scope change effect. This means that successful exploitation can potentially affect additional Oracle products within the same ecosystem, amplifying the potential damage. The CVSS 3.1 base score of 6.1 reflects the moderate to high severity of the issue, with particular emphasis on confidentiality and integrity impacts. Attackers can achieve unauthorized update, insert, or delete operations against specific data within the affected system, while also gaining unauthorized read access to subsets of accessible data. This dual impact on both data modification and information disclosure creates multiple attack vectors for threat actors seeking to compromise enterprise maintenance operations.

The vulnerability's classification aligns with CWE-284 (Improper Access Control) and follows patterns consistent with ATT&CK technique T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application). Organizations utilizing this software face significant risk of data integrity compromise and potential operational disruption in their maintenance workflows. The attack vector through HTTP protocols suggests that the vulnerability could be exploited from external networks, making it particularly concerning for organizations that expose their maintenance systems to the internet or maintain less secure network perimeters. The requirement for human interaction reduces the automated exploitation potential but does not eliminate the threat, as social engineering or targeted attacks could still leverage this vulnerability effectively.

Mitigation strategies should focus on immediate patching of affected Oracle E-Business Suite versions, implementation of network segmentation to limit access to maintenance systems, and deployment of web application firewalls to monitor and restrict HTTP traffic. Organizations should also consider implementing additional access controls and monitoring mechanisms to detect unauthorized access attempts. The CVSS vector indicates that while the attack requires low complexity and no privileges, the impact on data integrity and confidentiality requires immediate attention. Regular security assessments and vulnerability scanning should be implemented to identify similar weaknesses in related Oracle products and prevent scope creep from affecting additional systems within the enterprise environment.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00382

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!