Multiple vulnerabilities in Oracle Communications Unified Inventory Management
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2019-17091 CVE-2019-11358 CVE-2018-15756 CVE-2019-8457 |
| CWE-ID | CWE-20 CWE-1321 CWE-125 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Oracle Communications Unified Inventory Management Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU24469
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17091
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Maps (Mojarra) component in Oracle Communications Unified Inventory Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall updates from vendor's website.
Oracle Communications Unified Inventory Management: 7.3 - 7.4
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.4:*:*:*:*:*:*:
- cpe:2.3:a:oracle:unified_inventory:7.3:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Prototype pollution
EUVDB-ID: #VU18092
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11358
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Install updates from vendor's website.
Oracle Communications Unified Inventory Management: 7.3 - 7.4
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.4:*:*:*:*:*:*:
- cpe:2.3:a:oracle:unified_inventory:7.3:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Improper input validation
EUVDB-ID: #VU15467
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15756
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in Pivotal Software Spring Framework due to improper handling of range requests. A remote attacker can send a specially crafted request that contains an additional range header with a high number of ranges or with wide ranges that overlap and cause the service to crash.
MitigationInstall updates from vendor's website.
Oracle Communications Unified Inventory Management: 7.3 - 7.4
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.4:*:*:*:*:*:*:
- cpe:2.3:a:oracle:unified_inventory:7.3:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU18657
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8457
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition in rtreenode() function when handling invalid rtree tables. A remote attacker can send a specially crafted request to the application, trigger heap out-of-bounds read crash the application.
MitigationInstall updates from vendor's website.
Oracle Communications Unified Inventory Management: 7.3 - 7.4
CPE2.3- cpe:2.3:a:oracle:unified_inventory:7.4:*:*:*:*:*:*:
- cpe:2.3:a:oracle:unified_inventory:7.3:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
