CVE-2025-50107 in Universal Work Queueinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Request handling). Supported versions that are affected are 12.2.5-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Universal Work Queue accessible data as well as unauthorized read access to a subset of Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/04/2025

The vulnerability identified as CVE-2025-50107 resides within Oracle Universal Work Queue component of the Oracle E-Business Suite, specifically within the request handling functionality. This issue affects versions 12.2.5 through 12.2.14, representing a significant attack surface within enterprise financial and operational systems. The vulnerability manifests as an easily exploitable flaw that allows unauthenticated attackers to compromise the targeted system through HTTP network access, making it particularly dangerous in environments where such services remain exposed to external networks without proper access controls.

The technical implementation flaw involves insufficient authentication and authorization mechanisms within the request handling process of Oracle Universal Work Queue. Attackers can leverage this weakness to execute unauthorized operations against the system, gaining the ability to perform unauthorized update, insert, or delete operations on sensitive data within the queue system. Additionally, the vulnerability enables unauthorized read access to specific subsets of data that the queue system can access, creating a dual impact on both data integrity and confidentiality. The CVSS 3.1 scoring of 6.1 reflects the moderate severity of this vulnerability, with a base score indicating low attack complexity and the requirement for human interaction to complete successful exploitation.

The operational impact of this vulnerability extends beyond the immediate Oracle Universal Work Queue component, as evidenced by the scope change aspect of the attack vector. Successful exploitation can potentially affect additional Oracle products within the E-Business Suite ecosystem, creating cascading security implications for enterprise operations. The requirement for human interaction suggests that attackers may need to trick users into performing specific actions, such as clicking malicious links or visiting compromised web pages, which aligns with social engineering attack patterns commonly observed in enterprise environments. This human interaction component also indicates that the vulnerability may be more difficult to detect through automated security scanning alone.

Organizations should prioritize immediate mitigation strategies including network segmentation to limit direct access to Oracle Universal Work Queue services, implementing robust firewall rules to restrict HTTP access, and ensuring that all affected systems are updated to patched versions. The vulnerability's classification under CWE 287 (Improper Authentication) and its alignment with ATT&CK techniques related to credential access and privilege escalation highlights the need for comprehensive security controls. System administrators should also implement monitoring solutions to detect unusual access patterns or unauthorized data modifications within the Oracle E-Business Suite environment. The scope change aspect of this vulnerability necessitates broader security assessments across the entire Oracle E-Business Suite deployment to identify potential secondary impacts and ensure complete remediation across all interconnected components.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00283

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!