Vulnerability-Lookup

CNVD-2025-02855

Vulnerability from cnvd - Published: 2025-02-13

Title

Oracle Shipping Execution信息泄露漏洞（CNVD-2025-02855）

Description

Oracle E-Business Suite（电子商务套件）是美国甲骨文（Oracle）公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。 Oracle E-Business Suite的Oracle Shipping Execution存在信息泄露漏洞。攻击者可利用该漏洞通过HTTP网络访问破坏Oracle Shipping Execution，并对Oracle Shipping Execution关键数据和所有可访问数据进行未授权访问、创建、删除和修改。

Severity

高

Patch Name

Oracle Shipping Execution信息泄露漏洞（CNVD-2025-02855）的补丁

Patch Description

Oracle E-Business Suite（电子商务套件）是美国甲骨文（Oracle）公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。 Oracle E-Business Suite的Oracle Shipping Execution（组件：Workflow Events）12.2.6至12.2.10版本的存在信息泄露漏洞。攻击者可利用该漏洞通过HTTP网络访问破坏Oracle Shipping Execution，并对Oracle Shipping Execution关键数据和所有可访问数据进行未授权访问、创建、删除和修改。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.oracle.com/security-alerts/cpuoct2021.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-35563

Impacted products

Name
Oracle Shipping Execution >=12.2.6，<=12.2.10

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-35563",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-35563"
    }
  },
  "description": "Oracle E-Business Suite\uff08\u7535\u5b50\u5546\u52a1\u5957\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u5168\u9762\u96c6\u6210\u5f0f\u7684\u5168\u7403\u4e1a\u52a1\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e86\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\u3001\u670d\u52a1\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nOracle E-Business Suite\u7684Oracle Shipping Execution\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fOracle Shipping Execution\uff0c\u5e76\u5bf9Oracle Shipping Execution\u5173\u952e\u6570\u636e\u548c\u6240\u6709\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3001\u521b\u5efa\u3001\u5220\u9664\u548c\u4fee\u6539\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuoct2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-02855",
  "openTime": "2025-02-13",
  "patchDescription": "Oracle E-Business Suite\uff08\u7535\u5b50\u5546\u52a1\u5957\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u5168\u9762\u96c6\u6210\u5f0f\u7684\u5168\u7403\u4e1a\u52a1\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e86\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\u3001\u670d\u52a1\u7ba1\u7406\u3001\u8d22\u52a1\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nOracle E-Business Suite\u7684Oracle Shipping Execution\uff08\u7ec4\u4ef6\uff1aWorkflow Events\uff0912.2.6\u81f312.2.10\u7248\u672c\u7684\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u7f51\u7edc\u8bbf\u95ee\u7834\u574fOracle Shipping Execution\uff0c\u5e76\u5bf9Oracle Shipping Execution\u5173\u952e\u6570\u636e\u548c\u6240\u6709\u53ef\u8bbf\u95ee\u6570\u636e\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\u3001\u521b\u5efa\u3001\u5220\u9664\u548c\u4fee\u6539\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Shipping Execution\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2025-02855\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Shipping Execution \u003e=12.2.6\uff0c\u003c=12.2.10"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-35563",
  "serverity": "\u9ad8",
  "submitTime": "2021-10-21",
  "title": "Oracle Shipping Execution\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2025-02855\uff09"
}

CVE-2021-35563 (GCVE-0-2021-35563)

Vulnerability from cvelistv5 – Published: 2021-10-20 10:50 – Updated: 2024-09-25 19:35

Summary

Vulnerability in the Oracle Shipping Execution product of Oracle E-Business Suite (component: Workflow Events). Supported versions that are affected are 12.2.6-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data.

Assigner

oracle

References

URL

Tags

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Shipping Execution	Affected: 12.2.6-12.2.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:40:47.118Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-35563",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T19:25:01.440101Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T19:35:27.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Shipping Execution",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.2.6-12.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle Shipping Execution product of Oracle E-Business Suite (component: Workflow Events). Supported versions that are affected are 12.2.6-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as  unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-20T10:50:10",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2021-35563",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Shipping Execution",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "12.2.6-12.2.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle Shipping Execution product of Oracle E-Business Suite (component: Workflow Events). Supported versions that are affected are 12.2.6-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "8.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Shipping Execution.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Shipping Execution accessible data as well as  unauthorized access to critical data or complete access to all Oracle Shipping Execution accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2021-35563",
    "datePublished": "2021-10-20T10:50:10",
    "dateReserved": "2021-06-28T00:00:00",
    "dateUpdated": "2024-09-25T19:35:27.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-02855

CVE-2021-35563 (GCVE-0-2021-35563)

Tags

Sightings

Nomenclature