Vulnerabilities > CVE-2019-2904 - Unspecified vulnerability in Oracle products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

oracle

nessus

NVD

Published: 2019-10-16

Updated: 2021-05-18

Summary

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Application Testing Suite 12.5.0.3 Oracle Application Testing Suite 13.1.0.1 Oracle Application Testing Suite 13.2.0.1 Oracle Application Testing Suite 13.3.0.1 Oracle Banking Enterprise Collections 2.7.0 Oracle Banking Enterprise Collections 2.8.0 Oracle Banking Enterprise Originations 2.7.0 Oracle Banking Enterprise Originations 2.8.0 Oracle Banking Enterprise Product Manufacturing 2.7.0 Oracle Banking Enterprise Product Manufacturing 2.8.0 Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.4.1 Oracle Banking Platform 2.5.0 Oracle Banking Platform 2.6.0 Oracle Banking Platform 2.6.1 Oracle Banking Platform 2.6.2 Oracle Banking Platform 2.7.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle Business Process Management Suite 12.2.1.3.0 Oracle Business Process Management Suite 12.2.1.4.0 Oracle Clinical 5.2 Oracle Communications Diameter Signaling Router 8.0.0.0 Oracle Communications Diameter Signaling Router 8.1 Oracle Communications Diameter Signaling Router 8.2 Oracle Communications Diameter Signaling Router 8.2.1 Oracle Communications Diameter Signaling Router 8.2.2 Oracle Communications Diameter Signaling Router 8.3 Oracle Communications Diameter Signaling Router 8.4.0.5 Oracle Communications Network Integrity 7.3.2 Oracle Communications Network Integrity 7.3.5 Oracle Communications Network Integrity 7.3.6 Oracle Communications Service Broker 6.0 Oracle Communications Service Broker 6.1 Oracle Communications Services Gatekeeper 6.0 Oracle Communications Services Gatekeeper 6.1 Oracle Enterprise Repository 11.1.1.7.0 Oracle Financial Services Lending AND Leasing 12.5.0 Oracle Financial Services Lending AND Leasing 14.1.0 Oracle Financial Services Revenue Management AND Billing Analytics 2.6 Oracle Financial Services Revenue Management AND Billing Analytics 2.7 Oracle Financial Services Revenue Management AND Billing Analytics 2.8 Oracle Flexcube Private Banking 12.0.0 Oracle Flexcube Private Banking 12.1.0 Oracle Health Sciences Data Management Workbench 2.4 Oracle Health Sciences Data Management Workbench 2.5 Oracle Hyperion Planning 11.1.2.4 Oracle Rapid Planning 12.1.3 Oracle Retail Assortment Planning 15.0.3.0 Oracle Retail Assortment Planning 16.0.3.0 Oracle Retail Clearance Optimization Engine 13.4 Oracle Retail Clearance Optimization Engine 14.0.3 Oracle Retail Clearance Optimization Engine 14.0.5 Oracle Retail Markdown Optimization 13.4 Oracle Retail Sales Audit 15.0.3 Oracle Retail Sales Audit 16.0.2	56

Nessus

NASL family	Misc.
NASL id	ORACLE_OATS_CPU_JAN_2020.NASL
description	The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)). Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite. (CVE-2016-4000) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Jython). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Apache POI). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang or frequently repeatable crash (complete DOS). (CVE-2017-12626) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Apache POI). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang or frequently repeatable crash (complete DOS). (CVE-2017-12626) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (AntiSamy). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2017-14735) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Antisamy). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2017-14735) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Application Development Framework). An unauthenticated, remote attacker with network access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (jQuery). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2019-11358) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Apache POI). An authenticated, low priviledged remote attacker with network access to the infrastructure can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder. An unauthenticated remote attacker with network access via HTTP can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)
last seen	2020-05-08
modified	2020-01-27
plugin id	133260
published	2020-01-27
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133260
title	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)

Summary

Vulnerable Configurations

Nessus

References