CVE-2024-21040 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-21040 affects Oracle Complex Maintenance, Repair, and Overhaul within the Oracle E-Business Suite ecosystem, specifically within the List of Values (LOV) component. This represents a significant security weakness in enterprise resource planning systems that are widely deployed across industrial and manufacturing organizations. The affected versions span from 12.2.3 through 12.2.13, indicating a substantial attack surface across multiple release cycles of the Oracle E-Business Suite. The vulnerability's classification as easily exploitable suggests that threat actors can leverage relatively straightforward attack vectors without requiring specialized tools or extensive technical expertise.

The technical flaw manifests as an authentication bypass vulnerability that operates through HTTP network access, allowing unauthenticated attackers to compromise the targeted system. This vulnerability requires human interaction from individuals other than the attacker, indicating that social engineering or user manipulation may be necessary to initiate the attack chain. The attack vector specifically targets the LOV component within the Complex Maintenance, Repair, and Overhaul functionality, which typically handles critical operational data for maintenance scheduling, parts management, and repair workflows. The CVSS 3.1 base score of 6.1 reflects moderate severity but significant impact potential, with confidentiality and integrity impacts rated as low to moderate, while the scope change aspect indicates that successful exploitation can affect additional products beyond the primary target.

The operational impact of this vulnerability extends beyond the immediate maintenance and repair systems, potentially affecting broader enterprise operations and data integrity. Attackers who successfully exploit this vulnerability can gain unauthorized update, insert, or delete access to sensitive maintenance data, potentially disrupting operational workflows, altering maintenance schedules, or manipulating repair records. Additionally, the vulnerability enables unauthorized read access to subsets of maintenance-related data, which could expose critical operational information including equipment specifications, maintenance histories, and repair costs. The scope change aspect of this vulnerability means that exploitation could potentially cascade into other Oracle E-Business Suite components or integrated systems, amplifying the overall impact beyond the initial attack surface. This vulnerability aligns with CWE-287 (Improper Authentication) and may map to ATT&CK techniques involving credential access and privilege escalation.

Organizations affected by this vulnerability should prioritize immediate remediation through Oracle's security patches and updates, as the vulnerability's easily exploitable nature makes it a high-priority target for threat actors. Network segmentation and access controls should be reviewed to limit potential attack vectors, while monitoring systems should be enhanced to detect anomalous access patterns to maintenance and repair data. The human interaction requirement suggests that employee awareness training should be strengthened to prevent social engineering attacks that might facilitate exploitation. Security teams should also conduct comprehensive vulnerability assessments across their entire Oracle E-Business Suite deployment to identify potential additional vulnerabilities within the same attack surface, particularly focusing on authentication mechanisms and data access controls. The vulnerability's impact on both confidentiality and integrity properties requires organizations to implement robust data backup and recovery procedures to ensure operational continuity in case of successful exploitation.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00382

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!