Multiple vulnerabilities in Oracle Retail Invoice Matching
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-5421 CVE-2017-8028 |
| CWE-ID | CWE-20 CWE-592 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Oracle Retail Invoice Matching Web applications / E-Commerce systems |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU49739
Risk: Medium
CVSSv4.0: 5.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-5421
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Retail Invoice Matching: 14.0 - 14.1
CPE2.3- cpe:2.3:a:oracle:oracle_retail_invoice_matching:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_retail_invoice_matching:14.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html?924194
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Authentication bypass
EUVDB-ID: #VU9424
Risk: Low
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-8028
CWE-ID:
CWE-592 - Authentication Bypass Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication on the target system.
The weakness exists due to some LDAP vendors require an explicit operation for the
LDAP bind to take effect. A remote attacker with knowledge of the username can authenticate with an arbitrary password when connected to some LDAP servers, when no additional attributes are
bound, and when using LDAP BindAuthenticator with
org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy
as the authentication strategy, and setting userSearch.
Install update from vendor's website.
Vulnerable software versionsOracle Retail Invoice Matching: 13.2 - 14.1
CPE2.3- cpe:2.3:a:oracle:oracle_retail_invoice_matching:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_retail_invoice_matching:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_retail_invoice_matching:14.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html?924194
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
