cnvd - cnvd-2021-33843

cnvd-2021-33843

Vulnerability from cnvd

Title: Oracle Hyperion Financial Management存在未明漏洞（CNVD-2021-33843）

Description:

Oracle Hyperion Financial Management是一个基于Web的综合应用，它通过一个高度可扩展的软件解决方案提供全局财务合并、报告和分析功能。

Oracle Hyperion Financial Management 11.1.2.4版中的Task Automation组件存在安全漏洞。攻击者可利用该漏通过HTTP访问网络的高特权攻击者危害Hyperion财务管理。

Severity: 中

Patch Name: Oracle Hyperion Financial Management存在未明漏洞（CNVD-2021-33843）的补丁

Patch Description:

Oracle Hyperion Financial Management是一个基于Web的综合应用，它通过一个高度可扩展的软件解决方案提供全局财务合并、报告和分析功能。

Oracle Hyperion Financial Management 11.1.2.4版中的Task Automation组件存在安全漏洞。攻击者可利用该漏通过HTTP访问网络的高特权攻击者危害Hyperion财务管理。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.oracle.com/security-alerts/cpuapr2021.html

Reference: https://www.oracle.com/security-alerts/cpuapr2021.html

Impacted products

Name
Oracle Hyperion Financial Management 11.1.2.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-2158",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-2158"
    }
  },
  "description": "Oracle Hyperion Financial Management\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7efc\u5408\u5e94\u7528\uff0c\u5b83\u901a\u8fc7\u4e00\u4e2a\u9ad8\u5ea6\u53ef\u6269\u5c55\u7684\u8f6f\u4ef6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\u5168\u5c40\u8d22\u52a1\u5408\u5e76\u3001\u62a5\u544a\u548c\u5206\u6790\u529f\u80fd\u3002\n\nOracle Hyperion Financial Management 11.1.2.4\u7248\u4e2d\u7684Task Automation\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\u7684\u9ad8\u7279\u6743\u653b\u51fb\u8005\u5371\u5bb3Hyperion\u8d22\u52a1\u7ba1\u7406\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuapr2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-33843",
  "openTime": "2021-05-11",
  "patchDescription": "Oracle Hyperion Financial Management\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7efc\u5408\u5e94\u7528\uff0c\u5b83\u901a\u8fc7\u4e00\u4e2a\u9ad8\u5ea6\u53ef\u6269\u5c55\u7684\u8f6f\u4ef6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\u5168\u5c40\u8d22\u52a1\u5408\u5e76\u3001\u62a5\u544a\u548c\u5206\u6790\u529f\u80fd\u3002\r\n\r\nOracle Hyperion Financial Management 11.1.2.4\u7248\u4e2d\u7684Task Automation\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\u7684\u9ad8\u7279\u6743\u653b\u51fb\u8005\u5371\u5bb3Hyperion\u8d22\u52a1\u7ba1\u7406\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Hyperion Financial Management\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-33843\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Hyperion Financial Management 11.1.2.4"
  },
  "referenceLink": "https://www.oracle.com/security-alerts/cpuapr2021.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-21",
  "title": "Oracle Hyperion Financial Management\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-33843\uff09"
}

CVE-2021-2158 (GCVE-0-2021-2158)

Vulnerability from cvelistv5

Published

2021-04-22 21:53

Modified

2024-09-26 15:34

Severity ?

3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE

Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management.

Summary

Vulnerability in the Hyperion Financial Management product of Oracle Hyperion (component: Task Automation). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management. CVSS 3.1 Base Score 3.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuapr2021.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Hyperion Financial Management	Version: 11.1.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:32:03.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-2158",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T14:44:14.779050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:34:12.704Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Hyperion Financial Management",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "11.1.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Hyperion Financial Management product of Oracle Hyperion (component: Task Automation). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management. CVSS 3.1 Base Score 3.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as  unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-22T21:53:46",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2021-2158",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Hyperion Financial Management",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "11.1.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Hyperion Financial Management product of Oracle Hyperion (component: Task Automation). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management. CVSS 3.1 Base Score 3.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "3.9",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Management.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Hyperion Financial Management accessible data as well as  unauthorized read access to a subset of Hyperion Financial Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Hyperion Financial Management."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2021-2158",
    "datePublished": "2021-04-22T21:53:46",
    "dateReserved": "2020-12-09T00:00:00",
    "dateUpdated": "2024-09-26T15:34:12.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted