Multiple vulnerabilities in Siebel CRM End User

Published: 2025-01-22

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-44387 CVE-2024-38526
CWE-ID	CWE-732 CWE-506
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Siebel CRM End User Web applications / CRM systems
Vendor	Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU83979

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-44387

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way Gradle sets permissions when copying or archiving symlinked files. A local user can set permissions on the symlinks that will be applied to the linked files.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Siebel CRM End User: 24.0 - 24.11

CPE2.3

External links

http://www.oracle.com/security-alerts/cpujan2025.html?1007002

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Embedded malicious code (backdoor)

EUVDB-ID: #VU98008

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-38526

CWE-ID: CWE-506 - Embedded Malicious Code