#VU59924 Improper input validation in Oracle Commerce Guided Search


Vulnerability identifier: #VU59924

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37137

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Commerce Guided Search
Web applications / E-Commerce systems

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Content Acquisition System (Netty) component in Oracle Commerce Guided Search. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle Commerce Guided Search: 11.3.2

External links
http://www.oracle.com/security-alerts/cpujan2022.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Communications Unified Assurance
Multiple vulnerabilities in IBM watsonx.data
Multiple vulnerabilities in IBM Watson Knowledge Catalog on-prem
Multiple vulnerabilities in IBM Operations Analytics Predictive Insights
Multiple vulnerabilities in IBM Operations Analytics - Log Analysis
Multiple vulnerabilities in IBM Observability with Instana (OnPrem)
Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in Red Hat AMQ Streams
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)