Multiple vulnerabilities in Oracle Spatial Studio



Published: 2021-04-21
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-7760
CVE-2020-13956
CWE-ID CWE-400
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Oracle Spatial Studio
Web applications / CMS

Vendor Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU52384

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7760

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing regular expression. A remote attacker can trigger resource exhaustion and perform a regular expression denial of service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Spatial Studio: 19.0.0

External links

http://www.oracle.com/security-alerts/cpuapr2021.html?930250


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU47481

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13956

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Spatial Studio: 20.1.0

External links

http://www.oracle.com/security-alerts/cpuapr2021.html?930250


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###