CVE-2017-3594 Details

CVE-2017-3594

Published: 2017-04-24
Last Modified: 2019-10-03
CVE Author: NIST National Vulnerability Database
CVE Assigner: cve@mitre.org
Summary

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). Supported versions that are affected are 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 7/10
Exploit Score 6.8/10
Access Vector Network
Access Complexity Medium
Authentication Single
Impact Score 7.8/10
Confidentiality Impact Complete
Availability Impact None
Integrity Impact Partial
Vector String AV:N/AC:M/Au:S/C:C/I:P/A:N
Common Vulnerability Score System v3.1
Severity Medium
Base Score 5.9/10
Exploit Score 1.6/10
Access Vector Network
Access Complexity High
Privileges Required Low
Impact Score 4.2/10
Confidentiality Impact High
Availability Impact None
Integrity Impact Low
Scope Unchanged
User Interaction None
Vector String CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:oracle:webcenter_sites:12.2.1.0.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:oracle:webcenter_sites:12.2.1.1.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:oracle:webcenter_sites:12.2.1.2.0:*:*:*:*:*:*:* Yes - -
References

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
http://www.securityfocus.com/bid/97901
http://www.securityfocus.com/bid/97905
http://www.securitytracker.com/id/1038291

CVE ID
CVE-2017-3594
Published
2017-04-24
Modified
2019-10-03
CVSSv2.0
High
CVSSv3.1
Medium
PCI Compliance
Fail
US-CERT Alert
No
CWE
CWE Pending

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities.