CVE-2024-21044 in Complex Maintenance, Repair, and Overhaulinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/05/2025

This vulnerability exists within Oracle E-Business Suite's Complex Maintenance, Repair, and Overhaul component, specifically in the List of Values (LOV) functionality. The flaw affects versions 12.2.3 through 12.2.13, representing a significant attack surface for organizations utilizing this enterprise resource planning system. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where such systems often handle critical business data.

The technical implementation of this vulnerability stems from insufficient input validation and access control mechanisms within the LOV component. Attackers can exploit this weakness through unauthenticated HTTP network connections, bypassing traditional authentication requirements. This represents a fundamental breakdown in the security model where the system fails to properly validate user credentials or session integrity before granting access to sensitive data operations. The CVSS score of 6.1 reflects the moderate severity of the impact, with confidentiality and integrity being compromised while availability remains unaffected. The vulnerability's scope change characteristic indicates that exploitation can potentially affect additional products beyond the primary target, amplifying the overall risk to the enterprise environment.

The operational impact of this vulnerability extends beyond simple data access, as successful exploitation enables unauthorized modification of critical maintenance records and operational data. Attackers can perform update, insert, and delete operations on sensitive maintenance databases, potentially corrupting repair schedules, part inventories, and work order information. Additionally, the unauthorized read access capability allows for data exfiltration of maintenance-related information that could be valuable for competitive intelligence or operational disruption. The requirement for human interaction suggests that while the initial exploitation may require user involvement, once initiated, the attack can proceed autonomously, making detection more challenging.

Organizations should implement immediate mitigations including network segmentation to restrict access to the affected Oracle E-Business Suite components, deployment of web application firewalls to monitor and filter HTTP traffic, and regular security assessments to identify potential exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-352 (Cross-Site Request Forgery) depending on the specific exploitation method. From an ATT&CK framework perspective, this vulnerability maps to T1190 (Exploit Public-Facing Application) and T1071.004 (Application Layer Protocol: DNS) where attackers may leverage the HTTP interface for initial access. Regular patch management and security monitoring of Oracle E-Business Suite installations remain critical defensive measures to prevent exploitation of this and similar vulnerabilities.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00185

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!