CVE-2017-3548
moderate-risk
Published 2017-04-24
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).
Do I need to act?
!
49.2% chance of exploitation in next 30 days
EPSS score — higher than 51% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (10)
Third Party Advisory
http://www.securityfocus.com/bid/97880
Third Party Advisory
http://www.securitytracker.com/id/1038301
Third Party Advisory
https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
Third Party Advisory
https://www.exploit-db.com/exploits/41925/
Third Party Advisory
http://www.securityfocus.com/bid/97880
Third Party Advisory
http://www.securitytracker.com/id/1038301
Third Party Advisory
https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
Third Party Advisory
https://www.exploit-db.com/exploits/41925/
49
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
18/34 · Moderate
Exposure
7/34 · Low