CVE-2024-21281

Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.7.0.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Liquidity Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Liquidity Management accessible data as well as unauthorized read access to a subset of Oracle Banking Liquidity Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Liquidity Management. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L).

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.oracle.com/security-alerts/cpuoct2024.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:banking_liquidity_management:14.7.0.6.0:*:*:*:*:*:*:*

History

10 Feb 2025, 23:15

Type	Values Removed	Values Added
CWE		CWE-444

Information

Published : 2024-10-15 20:15

Updated : 2025-02-10 23:15

NVD link : CVE-2024-21281

Mitre link : CVE-2024-21281

CVE.ORG link : CVE-2024-21281

JSON object : View

Products Affected

oracle

banking_liquidity_management

CWE

NVD-CWE-noinfo CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2024-21281", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert_us@oracle.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 0.5}]}, "published": "2024-10-15T20:15:20.647", "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2024.html", "tags": ["Vendor Advisory"], "source": "secalert_us@oracle.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.7.0.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Liquidity Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Liquidity Management accessible data as well as unauthorized read access to a subset of Oracle Banking Liquidity Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Liquidity Management. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle Banking Liquidity Management de Oracle Financial Services Applications (componente: Infraestructura). La versi\u00f3n compatible afectada es la 14.7.0.6.0. Esta vulnerabilidad, dif\u00edcil de explotar, permite que un atacante con privilegios elevados y acceso a la red a trav\u00e9s de HTTP ponga en peligro Oracle Banking Liquidity Management. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta del atacante. Los ataques exitosos de esta vulnerabilidad pueden dar como resultado la creaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n no autorizadas de datos cr\u00edticos o de todos los datos accesibles de Oracle Banking Liquidity Management, as\u00ed como el acceso de lectura no autorizado a un subconjunto de datos accesibles de Oracle Banking Liquidity Management y la capacidad no autorizada de provocar una denegaci\u00f3n de servicio parcial (DOS parcial) de Oracle Banking Liquidity Management. Puntuaci\u00f3n base CVSS 3.1 5.3 (impactos en la confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L)."}], "lastModified": "2025-02-10T23:15:12.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.7.0.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46370D5C-11B2-4D86-A012-F5B9243229B0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}