CVE-2025-30756 in REST Data Servicesinfo

Summary

by MITRE • 07/15/2025

Vulnerability in Oracle REST Data Services (component: General). The supported version that is affected is 24.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data as well as unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/25/2025

Oracle REST Data Services version 24.2.0 contains a critical vulnerability that represents a significant security risk for organizations relying on this component. This vulnerability exists within the general functionality of the Oracle REST Data Services framework and affects the specific version 24.2.0 which is currently supported. The flaw creates an easily exploitable condition that allows unauthenticated attackers to gain access to the system through standard HTTP network connections without requiring any authentication credentials or privileged access. The vulnerability's exploitability is enhanced by its low attack complexity requirements, making it particularly dangerous for organizations with exposed web services.

The technical nature of this vulnerability stems from insufficient access controls within Oracle REST Data Services that permit unauthorized data manipulation and retrieval operations. Attackers can exploit this weakness to perform unauthorized update, insert, or delete operations against data accessible through the service, while also gaining read access to sensitive information within the system's data repository. The vulnerability's impact extends beyond the immediate Oracle REST Data Services component, as indicated by the scope change aspect of the attack vector. This means that successful exploitation can potentially compromise additional Oracle products and systems within the same network environment, creating a cascading effect that amplifies the overall security impact.

From an operational perspective, this vulnerability poses substantial risk to organizations that deploy Oracle REST Data Services in production environments. The CVSS 3.1 base score of 6.1 indicates a moderate to high severity threat level, with particular emphasis on confidentiality and integrity impacts. The attack vector requires network access via HTTP and only needs human interaction from someone other than the attacker, suggesting that social engineering or targeted phishing attacks could facilitate exploitation. The combination of unauthorized data modification capabilities and read access to sensitive information creates a dual threat that could lead to data corruption, information leakage, and potential system compromise. Organizations with exposed REST endpoints face significant risk of unauthorized access to business-critical data and operational systems.

The vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks within web service implementations. From an ATT&CK framework perspective, this vulnerability maps to techniques involving unauthorized access and data manipulation, potentially enabling later stages of the attack lifecycle including privilege escalation and data exfiltration. Organizations should implement immediate mitigations including network segmentation to limit exposure, firewall rules to restrict HTTP access, and application-level access controls to minimize the attack surface. Additionally, regular security assessments and monitoring of REST endpoint activities should be implemented to detect potential exploitation attempts. The recommended approach includes upgrading to patched versions of Oracle REST Data Services, implementing network-based controls, and establishing comprehensive monitoring protocols to detect unauthorized access attempts and data manipulation activities.

Responsible

Oracle

Reservation

03/26/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00126

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!