Oracle PeopleSoft Enterprise HCM Global Payroll Core up to 9.2.50 Global Payroll for Core improper authorization

Summaryinfo

A vulnerability was found in Oracle PeopleSoft Enterprise HCM Global Payroll Core up to 9.2.50. It has been rated as critical. The impacted element is an unknown function of the component Global Payroll for Core. This manipulation causes improper authorization. This vulnerability is handled as CVE-2024-21283. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical was found in Oracle PeopleSoft Enterprise HCM Global Payroll Core up to 9.2.50. Affected by this vulnerability is an unknown function of the component Global Payroll for Core. The manipulation with an unknown input leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the PeopleSoft Enterprise HCM Global Payroll Core product of Oracle PeopleSoft (component: Global Payroll for Core). Supported versions that are affected are 9.2.48-9.2.50. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Global Payroll Core. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Global Payroll Core accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Global Payroll Core accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The advisory is shared at oracle.com. This vulnerability is known as CVE-2024-21283 since 12/07/2023. The exploitation appears to be easy. The attack can be launched remotely. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 10/16/2024). MITRE ATT&CK project uses the attack technique T1548.002 for this issue.

Upgrading eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Enterprise Resource Planning Software

Vendor

• Oracle

Name

• PeopleSoft Enterprise HCM Global Payroll Core

Version

• 9.2.0
• 9.2.1
• 9.2.2
• 9.2.3
• 9.2.4
• 9.2.5
• 9.2.6
• 9.2.7
• 9.2.8
• 9.2.9
• 9.2.10
• 9.2.11
• 9.2.12
• 9.2.13
• 9.2.14
• 9.2.15
• 9.2.16
• 9.2.17
• 9.2.18
• 9.2.19
• 9.2.20
• 9.2.21
• 9.2.22
• 9.2.23
• 9.2.24
• 9.2.25
• 9.2.26
• 9.2.27
• 9.2.28
• 9.2.29
• 9.2.30
• 9.2.31
• 9.2.32
• 9.2.33
• 9.2.34
• 9.2.35
• 9.2.36
• 9.2.37
• 9.2.38
• 9.2.39
• 9.2.40
• 9.2.41
• 9.2.42
• 9.2.43
• 9.2.44
• 9.2.45
• 9.2.46
• 9.2.47
• 9.2.48
• 9.2.49
• 9.2.50

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion