CVE-2024-21287 in Agile PLM Frameworkinfo

Summary

by MITRE • 11/19/2024

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2024-21287 resides within the Oracle Agile PLM Framework, specifically affecting the Software Development Kit and Process Extension components. This issue impacts version 9.3.6 of the Oracle Supply Chain product line, representing a significant security weakness that exposes organizations to potential unauthorized access. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where such systems often contain sensitive product lifecycle management data.

The technical flaw manifests through an insufficient authentication mechanism within the HTTP interface of the Agile PLM Framework, allowing unauthenticated attackers to exploit the system remotely. This vulnerability operates at the network level with a CVSS base score of 7.5, indicating high severity primarily due to confidentiality impacts. The attack vector requires only network access via HTTP protocol, eliminating the need for additional attack prerequisites or user interaction. The vulnerability's characteristics align with CWE-287, which addresses improper authentication issues, and represents a critical weakness in the system's access control mechanisms.

The operational impact of this vulnerability extends beyond simple data theft, potentially enabling complete compromise of all accessible data within the Oracle Agile PLM Framework environment. Attackers who successfully exploit this vulnerability can gain unauthorized access to critical product lifecycle management information, including design specifications, manufacturing processes, supplier data, and other sensitive business intelligence. This access could severely disrupt operations, compromise intellectual property, and potentially lead to competitive disadvantages or regulatory compliance violations. The vulnerability affects the entire system's data confidentiality, as indicated by the CVSS vector showing high confidentiality impact with no integrity or availability implications.

Organizations should implement immediate mitigations including network segmentation to restrict access to the affected system, deployment of web application firewalls to monitor and filter HTTP traffic, and consideration of temporary access restrictions to the affected components. The vulnerability's nature suggests that standard network security measures may be insufficient, requiring more robust authentication controls and monitoring solutions. Security teams should conduct comprehensive assessments of their Agile PLM Framework implementations to identify all potentially affected systems and ensure proper patch management procedures are in place. The threat landscape for this vulnerability aligns with ATT&CK technique T1190, which covers exploiting weaknesses in web applications, and represents a significant risk for organizations managing critical product development data.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

11/19/2024

Moderation

accepted

CPE

ready

EPSS

0.01496

KEV

yes

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!