CVE-2022-21500

high-risk

Published 2022-05-20

Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. <br> <br>Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Do I need to act?

93.9% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (2)

E-Business Suite

User Management

Affected Vendors

Oracle

References (4)

Vendor Advisory https://www.oracle.com/security-alerts/alert-cve-2022-21500.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Vendor Advisory https://www.oracle.com/security-alerts/alert-cve-2022-21500.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

high-risk

Severity 26/34 · High

Exploitability 20/34 · Moderate

Exposure 7/34 · Low