cnvd - cnvd-2020-68260

cnvd-2020-68260

Vulnerability from cnvd

Title: Oracle Application Express Packaged Apps component存在未明漏洞

Description:

Oracle Applications Manager是美国甲骨文（Oracle）公司的一个应用管理软件。该软件可为 Oracle 数据文件提供监控、趋势分析、故障管理等功能。

Oracle Application Express Packaged Apps component 20.2之前版本存在安全漏洞，攻击者可利用该漏洞拥有合法的用户帐户特权，通过HTTP访问网络，以危及Oracle Application Express软件包应用程序。成功的攻击需要与攻击者以外的人进行交互，而当漏洞出现在Oracle Application Express软件包中的应用程序时，攻击可能会对其他产品产生重大影响。

Severity: 中

Patch Name: Oracle Application Express Packaged Apps component存在未明漏洞的补丁

Patch Description:

Oracle Applications Manager是美国甲骨文（Oracle）公司的一个应用管理软件。该软件可为 Oracle 数据文件提供监控、趋势分析、故障管理等功能。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpuoct2020.html

Reference: http://www.nsfocus.net/vulndb/50665

Impacted products

Name
Oracle Application Express Packaged Apps component <20.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14898",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-14898"
    }
  },
  "description": "Oracle Applications Manager\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u4e3a Oracle \u6570\u636e\u6587\u4ef6\u63d0\u4f9b\u76d1\u63a7\u3001\u8d8b\u52bf\u5206\u6790\u3001\u6545\u969c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nOracle Application Express Packaged Apps component 20.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u62e5\u6709\u5408\u6cd5\u7684\u7528\u6237\u5e10\u6237\u7279\u6743\uff0c\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\uff0c\u4ee5\u5371\u53caOracle Application Express\u8f6f\u4ef6\u5305\u5e94\u7528\u7a0b\u5e8f\u3002\u6210\u529f\u7684\u653b\u51fb\u9700\u8981\u4e0e\u653b\u51fb\u8005\u4ee5\u5916\u7684\u4eba\u8fdb\u884c\u4ea4\u4e92\uff0c\u800c\u5f53\u6f0f\u6d1e\u51fa\u73b0\u5728Oracle Application Express\u8f6f\u4ef6\u5305\u4e2d\u7684\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u653b\u51fb\u53ef\u80fd\u4f1a\u5bf9\u5176\u4ed6\u4ea7\u54c1\u4ea7\u751f\u91cd\u5927\u5f71\u54cd\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuoct2020.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-68260",
  "openTime": "2020-12-01",
  "patchDescription": "Oracle Applications Manager\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u4e3a Oracle \u6570\u636e\u6587\u4ef6\u63d0\u4f9b\u76d1\u63a7\u3001\u8d8b\u52bf\u5206\u6790\u3001\u6545\u969c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nOracle Application Express Packaged Apps component 20.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u62e5\u6709\u5408\u6cd5\u7684\u7528\u6237\u5e10\u6237\u7279\u6743\uff0c\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\uff0c\u4ee5\u5371\u53caOracle Application Express\u8f6f\u4ef6\u5305\u5e94\u7528\u7a0b\u5e8f\u3002\u6210\u529f\u7684\u653b\u51fb\u9700\u8981\u4e0e\u653b\u51fb\u8005\u4ee5\u5916\u7684\u4eba\u8fdb\u884c\u4ea4\u4e92\uff0c\u800c\u5f53\u6f0f\u6d1e\u51fa\u73b0\u5728Oracle Application Express\u8f6f\u4ef6\u5305\u4e2d\u7684\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u653b\u51fb\u53ef\u80fd\u4f1a\u5bf9\u5176\u4ed6\u4ea7\u54c1\u4ea7\u751f\u91cd\u5927\u5f71\u54cd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Application Express Packaged Apps component\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Application Express Packaged Apps component \u003c20.2"
  },
  "referenceLink": "http://www.nsfocus.net/vulndb/50665",
  "serverity": "\u4e2d",
  "submitTime": "2020-10-22",
  "title": "Oracle Application Express Packaged Apps component\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-14898 (GCVE-0-2020-14898)

Vulnerability from cvelistv5

Published

2020-10-21 14:04

Modified

2024-09-26 20:00

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data.

Summary

Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Application Express (APEX)	Version: unspecified < 20.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:00:51.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-14898",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T19:42:44.567253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T20:00:57.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Application Express (APEX)",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "lessThan": "20.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as  unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-21T14:04:31",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2020-14898",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Application Express (APEX)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "20.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "5.4",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Application Express Packaged Apps accessible data as well as  unauthorized read access to a subset of Oracle Application Express Packaged Apps accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2020-14898",
    "datePublished": "2020-10-21T14:04:31",
    "dateReserved": "2020-06-19T00:00:00",
    "dateUpdated": "2024-09-26T20:00:57.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted