#VU38545 Input validation error in Enterprise Manager Base Platform - CVE-2017-10091


| Updated: 2020-08-08

Vulnerability identifier: #VU38545

Vulnerability risk: Medium

CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-10091

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Enterprise Manager Base Platform
Server applications / Other server solutions

Vendor: Oracle

Description

The vulnerability allows a remote authenticated user to manipulate data.

Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: UI Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. While the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 7.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Enterprise Manager Base Platform: 12.1.0 - 13.2.0

External links
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securityfocus.com/bid/99649
https://www.securitytracker.com/id/1038930

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle Enterprise Manager Base Platform