CVE-2024-21043 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

The vulnerability identified as CVE-2024-21043 resides within Oracle E-Business Suite's Complex Maintenance, Repair, and Overhaul component, specifically within the List of Values (LOV) functionality. This represents a critical security weakness that affects Oracle E-Business Suite versions 12.2.3 through 12.2.13, making it a widespread concern across numerous enterprise environments that utilize this maintenance management platform. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized tools or extensive technical knowledge, while the requirement for network access via HTTP means that the attack surface extends to any system with exposed web services.

The technical flaw manifests as a lack of proper authentication and authorization controls within the LOV component, allowing unauthenticated attackers to gain unauthorized access to sensitive maintenance data. This vulnerability operates under the Common Weakness Enumeration framework as CWE-287, which encompasses improper authentication issues that enable unauthorized access to system resources. The CVSS 3.1 score of 6.1 reflects the moderate severity of impact, with confidentiality and integrity affected at a low level, though the scope change aspect indicates that successful exploitation could extend beyond the primary target to affect additional products within the Oracle E-Business Suite ecosystem. The vector analysis reveals that network-based attacks require low attack complexity and no privilege requirements, while human interaction is necessary to complete the exploitation process.

The operational impact of this vulnerability extends beyond simple data access, as attackers can perform unauthorized update, insert, or delete operations on maintenance-related data, potentially compromising the integrity of critical repair and maintenance records. Additionally, the unauthorized read access to subset data means that sensitive operational information could be extracted, potentially revealing maintenance schedules, equipment status, or repair histories that could be exploited for competitive advantage or further attacks. The scope change aspect of the vulnerability means that even though the initial attack vector targets the LOV component, the consequences could propagate to affect other interconnected modules within the Oracle E-Business Suite, creating cascading security implications.

Organizations should implement immediate mitigations including network segmentation to restrict access to Oracle E-Business Suite components, deployment of web application firewalls to monitor and filter HTTP traffic, and implementation of additional authentication controls for the affected LOV functionality. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, indicating that adversaries would likely target exposed web interfaces to establish initial access. Regular security assessments and monitoring of access logs should be implemented to detect potential exploitation attempts, while patch management procedures should be prioritized to address this vulnerability through Oracle's official security updates. Organizations should also consider implementing role-based access controls and privilege separation to minimize the potential impact should exploitation occur, ensuring that maintenance data access is restricted to authorized personnel only.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00197

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!