CVE-2024-21035 in Complex Maintenance, Repair, and Overhaul
Summary
by MITRE • 04/17/2024
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/05/2025
The vulnerability identified as CVE-2024-21035 resides within Oracle Complex Maintenance, Repair, and Overhaul component of the Oracle E-Business Suite ecosystem, specifically affecting the List of Values (LOV) functionality. This flaw represents a critical security weakness that operates within the broader Oracle E-Business Suite framework, which serves as a comprehensive enterprise resource planning solution for organizations managing complex maintenance operations. The affected versions span from 12.2.3 through 12.2.13, indicating a substantial attack surface across multiple releases of the software. The vulnerability's classification as easily exploitable suggests that attackers can leverage this weakness without requiring specialized tools or extensive technical knowledge, making it particularly dangerous for organizations that have not yet patched their systems.
The technical nature of this vulnerability allows unauthenticated attackers to compromise the Oracle Complex Maintenance, Repair, and Overhaul functionality through HTTP network connections, eliminating the need for valid credentials or prior access to the system. This attack vector operates at the network level, requiring only that an attacker can establish communication with the target system through standard HTTP protocols. The vulnerability requires human interaction from individuals other than the attacker, suggesting that successful exploitation may involve social engineering elements or user-specific actions that facilitate the attack. The CVSS 3.1 scoring of 6.1 reflects the moderate severity of the flaw, with a base score that considers both confidentiality and integrity impacts. The attack vector specification CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates that the vulnerability is network accessible, requires low attack complexity, does not require prior privileges, necessitates user interaction, and can cause scope changes affecting additional products beyond the primary target.
The operational impact of this vulnerability extends beyond the immediate scope of Oracle Complex Maintenance, Repair, and Overhaul, as successful exploitation can compromise data integrity and confidentiality across related systems. Attackers can achieve unauthorized update, insert, or delete operations on sensitive maintenance data, potentially disrupting operational workflows and corrupting critical information within the maintenance management system. Additionally, the vulnerability enables unauthorized read access to subsets of data accessible through the affected component, potentially exposing sensitive maintenance records, repair histories, and overhaul documentation. The scope change aspect of this vulnerability indicates that while the primary target is the Complex Maintenance, Repair, and Overhaul module, the attack could potentially impact other Oracle E-Business Suite components or integrated systems. Organizations utilizing this software are particularly vulnerable as maintenance, repair, and overhaul operations often contain sensitive operational data that could be exploited for competitive advantage or operational disruption, with the potential for cascading effects throughout enterprise resource planning systems.
Organizations should implement immediate mitigation strategies including network segmentation to limit access to the affected Oracle E-Business Suite components, deployment of web application firewalls to monitor and filter HTTP traffic, and comprehensive patch management procedures to address the vulnerability. The remediation process should prioritize systems containing the affected Oracle E-Business Suite versions, with particular attention to those running the Complex Maintenance, Repair, and Overhaul functionality. Security teams should conduct thorough network monitoring to detect potential exploitation attempts and establish incident response protocols to address successful attacks. Additionally, organizations should review their access controls and user permissions to minimize the impact of potential unauthorized access, as the vulnerability's requirement for user interaction suggests that social engineering components may be involved in successful exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and may relate to ATT&CK techniques involving privilege escalation and data manipulation within enterprise applications, emphasizing the need for comprehensive security controls across the entire Oracle E-Business Suite ecosystem.