CVE-2024-21042 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-21042 resides within Oracle E-Business Suite's Complex Maintenance, Repair, and Overhaul component, specifically within the List of Values (LOV) functionality. This flaw represents a critical security weakness that affects Oracle EBS versions 12.2.3 through 12.2.13, making it a widespread concern across numerous enterprise deployments. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized tools or extensive technical knowledge, while the requirement for network access via HTTP means that the attack surface extends across standard web protocols.

The technical nature of this vulnerability stems from insufficient input validation and access control mechanisms within the LOV component, which allows unauthorized users to manipulate data through crafted HTTP requests. The CVSS score of 6.1 reflects the moderate severity of impact, with confidentiality and integrity being the primary affected aspects. The vulnerability's vector indicates network-based exploitation with low attack complexity, no authentication requirements, and the necessity for user interaction from someone other than the attacker. This suggests that while the initial exploitation may not require authentication, social engineering or user interaction might be needed to complete the attack successfully.

The operational impact of CVE-2024-21042 extends beyond the immediate scope of the Complex Maintenance, Repair, and Overhaul module, as evidenced by the scope change aspect of the vulnerability. This means that successful exploitation could potentially affect additional Oracle products within the EBS ecosystem, creating cascading security implications throughout the enterprise's operational environment. The vulnerability enables unauthorized modification capabilities including update, insert, and delete operations on sensitive data, while also providing read access to portions of the system's data that should remain protected. This dual impact on both data integrity and confidentiality creates significant risk for organizations relying on these maintenance operations for critical business functions.

Organizations must implement immediate mitigation strategies including network segmentation to limit access to the affected components, thorough access control reviews, and deployment of web application firewalls to monitor and filter suspicious HTTP traffic. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege, which is fundamental to secure system design. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and data manipulation, potentially enabling adversaries to establish persistent access within the maintenance and overhaul systems. Regular security assessments and patch management processes should be prioritized to address this vulnerability, as the affected versions indicate this is likely a long-standing issue that requires immediate remediation to prevent potential data compromise across the enterprise's maintenance operations.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00346

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!