CVE-2024-20953

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.oracle.com/security-alerts/cpujan2024.html	Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2024.html	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953
https://www.zerodayinitiative.com/advisories/ZDI-24-096/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*

History

21 Oct 2025, 23:16

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953 -

21 Oct 2025, 20:19

Type	Values Removed	Values Added
References	~~{'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}~~

21 Oct 2025, 19:20

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953 -
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-24-096/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-24-096/ - Third Party Advisory

13 Feb 2025, 18:16

Type	Values Removed	Values Added
References		() https://www.zerodayinitiative.com/advisories/ZDI-24-096/ -
CWE		CWE-502

Information

Published : 2024-02-17 02:15

Updated : 2025-10-21 23:16

NVD link : CVE-2024-20953

Mitre link : CVE-2024-20953

CVE.ORG link : CVE-2024-20953

JSON object : View

Products Affected

oracle

agile_product_lifecycle_management

CWE

NVD-CWE-noinfo CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-20953", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert_us@oracle.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-02-17T02:15:49.520", "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2024.html", "tags": ["Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "https://www.oracle.com/security-alerts/cpujan2024.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-096/", "tags": ["Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle Agile PLM de Oracle Supply Chain (componente: Exportar). La versi\u00f3n compatible afectada es la 9.3.6. Una vulnerabilidad f\u00e1cilmente explotable permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de HTTP comprometer Oracle Agile PLM. Los ataques exitosos a esta vulnerabilidad pueden resultar en la adquisici\u00f3n de Oracle Agile PLM. CVSS 3.1 Puntuaci\u00f3n base 8,8 (impactos en la confidencialidad, la integridad y la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)."}], "lastModified": "2025-10-21T23:16:24.100", "cisaActionDue": "2025-03-17", "cisaExploitAdd": "2025-02-24", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4305ED0E-30CC-4AEA-8988-3D1EC93A0BB2"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability"}