Vulnerability-Lookup

BDU:2019-04006

Vulnerability from fstec - Published: 15.10.2019

Title

Уязвимость подкомпонента ADF Faces компонента Oracle JDeveloper and ADF программной платформы Oracle Fusion Middleware, позволяющая нарушителю получить полный контроль над приложением

Description

Уязвимость подкомпонента ADF Faces компонента Oracle JDeveloper and ADF программной платформы Oracle Fusion Middleware связана с недостатками контроля доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить полный контроль над приложением с помощью сетевого HTTP протокола

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Oracle Corp.

Software Name

Fusion Middleware, Enterprise Repository, Business Process Management Suite, Hyperion Planning, Application Testing Suite, Oracle Retail Clearance Optimization Engine, Oracle Hyperion Financial Close Management, Oracle Retail Assortment Planning, Banking Platform, Banking Enterprise Product Manufacturing, Oracle FLEXCUBE Private Banking, Clinical, Oracle Health Sciences Data Management Workbench, Oracle Retail Markdown Optimization, Oracle Retail Sales Audit, Oracle Communications Service Broker, Oracle Communications Services Gatekeeper, Oracle Banking Enterprise Collections, Oracle Banking Enterprise Originations, Oracle Financial Services Revenue Management and Billing, Communications Diameter Signaling Router

Software Version

11.1.1.9.0 (Fusion Middleware), 12.1.3.0.0 (Fusion Middleware), 12.2.1.3.0 (Fusion Middleware), 11.1.1.7.0 (Enterprise Repository), 12.2.1.3.0 (Business Process Management Suite), 11.1.2.4 (Hyperion Planning), 13.3.0.1 (Application Testing Suite), 12.5.0.3 (Application Testing Suite), 13.1.0.1 (Application Testing Suite), 13.2.0.1 (Application Testing Suite), 14.0.5 (Oracle Retail Clearance Optimization Engine), 11.1.2.4 (Oracle Hyperion Financial Close Management), 16.0.3 (Oracle Retail Assortment Planning), 2.5.0 (Banking Platform), 2.6.0 (Banking Platform), 2.6.1 (Banking Platform), 2.6.2 (Banking Platform), 2.7.0 (Banking Enterprise Product Manufacturing), 2.8.0 (Banking Enterprise Product Manufacturing), 12.0 (Oracle FLEXCUBE Private Banking), 12.1 (Oracle FLEXCUBE Private Banking), 2.4.0 (Banking Platform), 2.4.1 (Banking Platform), 2.7.0 (Banking Platform), 2.7.2 (Banking Platform), 2.7.1 (Banking Platform), 2.9.0 (Banking Platform), 5.2 (Clinical), 2.4 (Oracle Health Sciences Data Management Workbench), 2.5 (Oracle Health Sciences Data Management Workbench), 15.0.3 (Oracle Retail Assortment Planning), 13.4 (Oracle Retail Markdown Optimization), 15.0.3 (Oracle Retail Sales Audit), 16.0.2 (Oracle Retail Sales Audit), 6.0 (Oracle Communications Service Broker), 6.1 (Oracle Communications Service Broker), 6.0 (Oracle Communications Services Gatekeeper), 6.1 (Oracle Communications Services Gatekeeper), 2.7.0 (Oracle Banking Enterprise Collections), 2.8.0 (Oracle Banking Enterprise Collections), 2.7.0 (Oracle Banking Enterprise Originations), 2.8.0 (Oracle Banking Enterprise Originations), 2.6 (Oracle Financial Services Revenue Management and Billing), 2.7 (Oracle Financial Services Revenue Management and Billing), 2.8 (Oracle Financial Services Revenue Management and Billing), 12.2.1.4.0 (Business Process Management Suite), от 8.0.0.0 до 8.4.0.5 включительно (Communications Diameter Signaling Router)

Possible Mitigations

Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html

Reference

https://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html

CWE

CWE-284

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Oracle Corp.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "11.1.1.9.0 (Fusion Middleware), 12.1.3.0.0 (Fusion Middleware), 12.2.1.3.0 (Fusion Middleware), 11.1.1.7.0 (Enterprise Repository), 12.2.1.3.0 (Business Process Management Suite), 11.1.2.4 (Hyperion Planning), 13.3.0.1 (Application Testing Suite), 12.5.0.3 (Application Testing Suite), 13.1.0.1 (Application Testing Suite), 13.2.0.1 (Application Testing Suite), 14.0.5 (Oracle Retail Clearance Optimization Engine), 11.1.2.4 (Oracle Hyperion Financial Close Management), 16.0.3 (Oracle Retail Assortment Planning), 2.5.0 (Banking Platform), 2.6.0 (Banking Platform), 2.6.1 (Banking Platform), 2.6.2 (Banking Platform), 2.7.0 (Banking Enterprise Product Manufacturing), 2.8.0 (Banking Enterprise Product Manufacturing), 12.0 (Oracle FLEXCUBE Private Banking), 12.1 (Oracle FLEXCUBE Private Banking), 2.4.0 (Banking Platform), 2.4.1 (Banking Platform), 2.7.0 (Banking Platform), 2.7.2 (Banking Platform), 2.7.1 (Banking Platform), 2.9.0 (Banking Platform), 5.2 (Clinical), 2.4 (Oracle Health Sciences Data Management Workbench), 2.5 (Oracle Health Sciences Data Management Workbench), 15.0.3 (Oracle Retail Assortment Planning), 13.4 (Oracle Retail Markdown Optimization), 15.0.3 (Oracle Retail Sales Audit), 16.0.2 (Oracle Retail Sales Audit), 6.0 (Oracle Communications Service Broker), 6.1 (Oracle Communications Service Broker), 6.0 (Oracle Communications Services Gatekeeper), 6.1 (Oracle Communications Services Gatekeeper), 2.7.0 (Oracle Banking Enterprise Collections), 2.8.0 (Oracle Banking Enterprise Collections), 2.7.0 (Oracle Banking Enterprise Originations), 2.8.0 (Oracle Banking Enterprise Originations), 2.6 (Oracle Financial Services Revenue Management and Billing), 2.7 (Oracle Financial Services Revenue Management and Billing), 2.8 (Oracle Financial Services Revenue Management and Billing), 12.2.1.4.0 (Business Process Management Suite), \u043e\u0442 8.0.0.0 \u0434\u043e 8.4.0.5 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Communications Diameter Signaling Router)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpujan2020.html\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.10.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.11.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "11.11.2019",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-04006",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-2904",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Fusion Middleware, Enterprise Repository, Business Process Management Suite, Hyperion Planning, Application Testing Suite, Oracle Retail Clearance Optimization Engine, Oracle Hyperion Financial Close Management, Oracle Retail Assortment Planning, Banking Platform, Banking Enterprise Product Manufacturing, Oracle FLEXCUBE Private Banking, Clinical, Oracle Health Sciences Data Management Workbench, Oracle Retail Markdown Optimization, Oracle Retail Sales Audit, Oracle Communications Service Broker, Oracle Communications Services Gatekeeper, Oracle Banking Enterprise Collections, Oracle Banking Enterprise Originations, Oracle Financial Services Revenue Management and Billing, Communications Diameter Signaling Router",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0434\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 ADF Faces \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Oracle JDeveloper and ADF \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Oracle Fusion Middleware, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (CWE-284)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0434\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 ADF Faces \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Oracle JDeveloper and ADF \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Oracle Fusion Middleware \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e HTTP \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html\nhttps://www.oracle.com/security-alerts/cpujan2020.html\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-284",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

CVE-2019-2904 (GCVE-0-2019-2904)

Vulnerability from cvelistv5 – Published: 2019-10-16 17:40 – Updated: 2024-10-15 18:50

Summary

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Severity ?

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF.

Assigner

oracle

References

URL

Tags

	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	http://www.oracle.com/technetwork/security-adviso…	x_refsource_MISC
	https://www.zerodayinitiative.com/advisories/ZDI-…	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2021.html	x_refsource_MISC

Impacted products

Vendor

Product

Version

Oracle Corporation

Enterprise Repository

Affected: 11.1.1.7.0

Oracle Corporation

Rapid Planning

Affected: 12.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:03:43.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1024/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-2904",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:36:30.925092Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T18:50:07.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Enterprise Repository",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "11.1.1.7.0"
            }
          ]
        },
        {
          "product": "Rapid Planning",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF.  Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-22T21:53:43.000Z",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1024/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2019-2904",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Enterprise Repository",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "11.1.1.7.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Rapid Planning",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "12.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "9.8",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF.  Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
              "refsource": "MISC",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-19-1024/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1024/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2019-2904",
    "datePublished": "2019-10-16T17:40:53.000Z",
    "dateReserved": "2018-12-14T00:00:00.000Z",
    "dateUpdated": "2024-10-15T18:50:07.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2019-04006

CVE-2019-2904 (GCVE-0-2019-2904)

Tags

Sightings

Nomenclature