cnvd - cnvd-2020-58770

cnvd-2020-58770

Vulnerability from cnvd

Title: IBM Oracle REST Data Services未授权访问漏洞

Description:

IBM Oracle REST Data Services（ORDS）是美国IBM公司的一个 JAVA Web的中间件应用。该中间件可将 Http/Https 等REST接口映射到数据库事务。

Oracle REST Data Services存在未授权访问漏洞，攻击者可利用该漏洞通过HTTP进行网络访问，从而危及Oracle REST数据服务。此漏洞的成功攻击可能导致对Oracle REST数据服务访问数据子集的未授权读取数据。

Severity: 中

Patch Name: IBM Oracle REST Data Services未授权访问漏洞的补丁

Patch Description:

IBM Oracle REST Data Services（ORDS）是美国IBM公司的一个 JAVA Web的中间件应用。该中间件可将 Http/Https 等REST接口映射到数据库事务。

Oracle REST Data Services存在未授权访问漏洞，攻击者可利用该漏洞通过HTTP进行网络访问，从而危及Oracle REST数据服务。此漏洞的成功攻击可能导致对Oracle REST数据服务访问数据子集的未授权读取数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpuoct2020.html

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-14745

Impacted products

Name
['IBM IBM Oracle REST Data Services 11.2.0.4', 'IBM IBM Oracle REST Data Services 12.1.0.2', 'IBM IBM Oracle REST Data Services 12.2.0.1', 'IBM IBM Oracle REST Data Services 18c', 'IBM IBM Oracle REST Data Services 19c', 'IBM IBM Oracle REST Data Services <20.2.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14745",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-14745"
    }
  },
  "description": "IBM Oracle REST Data Services\uff08ORDS\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u4e2a JAVA Web\u7684\u4e2d\u95f4\u4ef6\u5e94\u7528\u3002\u8be5\u4e2d\u95f4\u4ef6\u53ef\u5c06 Http/Https \u7b49REST\u63a5\u53e3\u6620\u5c04\u5230\u6570\u636e\u5e93\u4e8b\u52a1\u3002\n\nOracle REST Data Services\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u5371\u53caOracle REST\u6570\u636e\u670d\u52a1\u3002\u6b64\u6f0f\u6d1e\u7684\u6210\u529f\u653b\u51fb\u53ef\u80fd\u5bfc\u81f4\u5bf9Oracle REST\u6570\u636e\u670d\u52a1\u8bbf\u95ee\u6570\u636e\u5b50\u96c6\u7684\u672a\u6388\u6743\u8bfb\u53d6\u6570\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuoct2020.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-58770",
  "openTime": "2020-10-26",
  "patchDescription": "IBM Oracle REST Data Services\uff08ORDS\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u4e2a JAVA Web\u7684\u4e2d\u95f4\u4ef6\u5e94\u7528\u3002\u8be5\u4e2d\u95f4\u4ef6\u53ef\u5c06 Http/Https \u7b49REST\u63a5\u53e3\u6620\u5c04\u5230\u6570\u636e\u5e93\u4e8b\u52a1\u3002\r\n\r\nOracle REST Data Services\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u5371\u53caOracle REST\u6570\u636e\u670d\u52a1\u3002\u6b64\u6f0f\u6d1e\u7684\u6210\u529f\u653b\u51fb\u53ef\u80fd\u5bfc\u81f4\u5bf9Oracle REST\u6570\u636e\u670d\u52a1\u8bbf\u95ee\u6570\u636e\u5b50\u96c6\u7684\u672a\u6388\u6743\u8bfb\u53d6\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Oracle REST Data Services\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM IBM Oracle REST Data Services 11.2.0.4",
      "IBM IBM Oracle REST Data Services 12.1.0.2",
      "IBM IBM Oracle REST Data Services 12.2.0.1",
      "IBM IBM Oracle REST Data Services 18c",
      "IBM IBM Oracle REST Data Services 19c",
      "IBM IBM Oracle REST Data Services \u003c20.2.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-14745",
  "serverity": "\u4e2d",
  "submitTime": "2020-10-22",
  "title": "IBM Oracle REST Data Services\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e"
}

CVE-2020-14745 (GCVE-0-2020-14745)

Vulnerability from cvelistv5

Published

2020-10-21 14:04

Modified

2024-09-26 20:29

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data.

Summary

Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	REST Data Services	Version: 11.2.0.4 Version: 12.1.0.2 Version: 12.2.0.1 Version: 18c Version: 19c; Standalone ORDS: prior to 20.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:53:43.291Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-14745",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T19:45:20.301298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T20:29:50.792Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "REST Data Services",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "11.2.0.4"
            },
            {
              "status": "affected",
              "version": "12.1.0.2"
            },
            {
              "status": "affected",
              "version": "12.2.0.1"
            },
            {
              "status": "affected",
              "version": "18c"
            },
            {
              "status": "affected",
              "version": "19c; Standalone ORDS: prior to 20.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle REST Data Services accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-21T14:04:23",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2020-14745",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "REST Data Services",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "11.2.0.4"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "12.1.0.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "12.2.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "18c"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "19c; Standalone ORDS: prior to 20.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "4.3",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle REST Data Services.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle REST Data Services accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2020-14745",
    "datePublished": "2020-10-21T14:04:23",
    "dateReserved": "2020-06-19T00:00:00",
    "dateUpdated": "2024-09-26T20:29:50.792Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted