CVE-2025-50105 in Universal Work Queueinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Universal Work Queue accessible data as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/25/2025

The vulnerability identified as CVE-2025-50105 resides within Oracle Universal Work Queue component of the Oracle E-Business Suite, specifically within the Work Provider Administration module. This flaw affects versions 12.2.3 through 12.2.14, representing a significant attack surface within enterprise financial and operational systems. The vulnerability operates at the application layer and presents an easily exploitable condition that requires minimal privileges to initiate attacks, making it particularly dangerous in environments where network access is not adequately restricted. The affected component processes administrative functions related to work queue management and provider configurations, which are critical for business process automation and workflow management within enterprise systems.

The technical nature of this vulnerability stems from insufficient access controls and authentication mechanisms within the Work Provider Administration interface. An attacker with low privileges and network access via HTTP can exploit this weakness to gain unauthorized access to critical system data and functionality. The vulnerability's CVSS score of 8.1 indicates high severity with significant impacts to both confidentiality and integrity, suggesting that successful exploitation could result in complete data compromise and modification capabilities. The attack vector requires network connectivity and does not require user interaction, making it particularly dangerous as it can be exploited automatically by threat actors. This weakness creates a pathway for attackers to manipulate work queue configurations, potentially disrupting business processes, accessing sensitive financial data, or corrupting operational workflows that depend on proper queue management.

The operational impact of this vulnerability extends beyond simple data compromise to encompass potential business disruption and financial loss. Organizations utilizing Oracle E-Business Suite with affected versions face risks of unauthorized modification of critical work queue configurations that could lead to system failures, data inconsistencies, or unauthorized process execution. The vulnerability allows attackers to perform unauthorized creation, deletion, and modification operations on all accessible data within the Oracle Universal Work Queue system, potentially affecting multiple business functions including financial processing, inventory management, and human resources workflows. This comprehensive access capability means that a single exploited vulnerability could provide attackers with extensive control over enterprise operations, making it a prime target for threat actors seeking to cause maximum disruption or data exfiltration. The vulnerability also creates potential for privilege escalation within the application environment, as work queue administration often involves elevated system permissions.

Organizations should implement immediate mitigations including network segmentation to restrict access to the affected Oracle Universal Work Queue administration interfaces, deployment of web application firewalls to monitor and filter HTTP traffic, and implementation of least privilege access controls for administrative functions. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege in application security design. Security teams should also consider implementing network monitoring to detect anomalous access patterns to work queue administration interfaces and establish incident response procedures for potential exploitation attempts. The CVSS vector indicates that this vulnerability requires low attack complexity and low privileges, making it particularly attractive to automated exploitation tools and increasing the urgency for remediation. Additionally, organizations should conduct comprehensive security assessments of their Oracle E-Business Suite implementations to identify and remediate similar access control weaknesses in other components, as this vulnerability may indicate broader architectural security issues within the application environment.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00342

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!