CVE-2024-21287 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability

Exploit added

November 21, 2024

Action due

December 12, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

References

https://www.oracle.com/security-alerts/alert-cve-2024-21287.html

Weakness Enumeration

CWE-ID	CWE Name
CWE-863	Incorrect Authorization

Known Affected Software Configurations

cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:::::::*

Details

Source:
NVD

Published:
November 18, 2024

Updated:
November 29, 2024

Risk information

CVSS v3

Base score:
7.5

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2

Not defined