SB20241015178 - Multiple vulnerabilities in Oracle Banking APIs

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20241015178

SB20241015178 - Multiple vulnerabilities in Oracle Banking APIs

Published: October 15, 2024

Security Bulletin ID SB20241015178
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2024-29025)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in HttpPostRequestDecoder. A remote attacker can gain unauthorized access to sensitive information on the system.


2) Cross-site scripting (CVE-ID: CVE-2024-43407)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Code Snippet GeSHi plugin. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-22262)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when parsing URL with the UriComponentsBuilder component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Note, this vulnerability exists due to incomplete fix for #VU87614 (CVE-2024-22259) and #VU86695 (CVE-2024-22243).


4) Missing authorization (CVE-ID: CVE-2024-32114)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to missing authorization in the application's REST API. A remote attacker can interact with the broker using Jolokia JMX REST API and produce/consume messages or purge/delete destinations using the Message REST API.


Remediation

Install update from vendor's website.

References