SB20240117118 - Multiple vulnerabilities in Oracle Banking Liquidity Management

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240117118

SB20240117118 - Multiple vulnerabilities in Oracle Banking Liquidity Management

Published: January 17, 2024

Security Bulletin ID SB20240117118
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 71% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Insecure Temporary File (CVE-ID: CVE-2020-15250)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the application is using the test rule TemporaryFolder that stores sensitive information in temporary files in the system temporary directory, accessible by other system users. A local user can read temporary files and obtain sensitive information, related to the application.


2) Resource exhaustion (CVE-ID: CVE-2022-22969)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing requests initiating the Authorization Request for the Authorization Code Grant. A remote attacker can end multiple requests to the OAuth 2.0 Client, trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


4) Input validation error (CVE-ID: CVE-2022-22979)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the caching issue in Function Catalog component of the framework. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack via spring-cloud-function-web module.


5) Path traversal (CVE-ID: CVE-2020-5410)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences through the spring-cloud-config-server module. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


6) Improper input validation (CVE-ID: CVE-2023-2618)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Load Testing for Web Apps (OpenCV) component in Oracle Application Testing Suite. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


7) Security features bypass (CVE-ID: CVE-2023-34034)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the usage of "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux. A remote unauthenticated attacker can trigger the vulnerability to bypass security restrictions.


Remediation

Install update from vendor's website.

References