The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the October 2019 Critical Patch Update (CPU). It is, therefore, affected by an arbitrary file read vulnerability in the FasterXML jackson-databind subcomponent. This is due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. An unauthenticated, remote attacker can exploit this, via sending a crafted JSON message, to read arbitrary files and disclose sensitive information.
Binary data oracle_webcenter_portal_cpu_oct_2019.nbin
Vendor | Product | Version |
---|---|---|
oracle | fusion_middleware |