SB20240117119 - Multiple vulnerabilities in Oracle Banking Digital Experience

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240117119

SB20240117119 - Multiple vulnerabilities in Oracle Banking Digital Experience

Published: January 17, 2024 Updated: June 20, 2025

Security Bulletin ID SB20240117119
Severity
Critical
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 33% High 33% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-5072)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Security features bypass (CVE-ID: CVE-2023-34034)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the usage of "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux. A remote unauthenticated attacker can trigger the vulnerability to bypass security restrictions.


3) Deserialization of Untrusted Data (CVE-ID: CVE-2023-46604)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References