Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_WEBCENTER_SITES_OCT_2021_CPU.NASL
HistoryOct 26, 2021 - 12:00 a.m.

Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)

2021-10-2600:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21

7.3 High

AI Score

Confidence

High

JSON

Oracle WebCenter Sites component of Oracle Fusion Middleware is affected by multiple vulnerabilities.

  • Component: WebCenter Sites (Terracotta Quartz Scheduler)). The supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. (CVE-2019-13990)

  • Component: WebCenter Sites (XStream)). The supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. (CVE-2021-29505)

  • Component: WebCenter Sites (dojo)). The supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data. (CVE-2020-5258)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(154418);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/28");

  script_cve_id(
    "CVE-2019-12415",
    "CVE-2019-13990",
    "CVE-2020-5258",
    "CVE-2021-26272",
    "CVE-2021-27906",
    "CVE-2021-29505"
  );
  script_xref(name:"IAVA", value:"2021-A-0480");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");

  script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"Oracle WebCenter Sites component of Oracle Fusion Middleware is affected by multiple vulnerabilities.

  - Component: WebCenter Sites (Terracotta Quartz Scheduler)). The supported
  versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable
  vulnerability allows unauthenticated attacker with network access via HTTP to
  compromise Oracle WebCenter Sites. Successful attacks of this vulnerability
  can result in takeover of Oracle WebCenter Sites. (CVE-2019-13990)

  - Component: WebCenter Sites (XStream)). The supported versions that are
  affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability
  allows low privileged attacker with network access via HTTP to compromise
  Oracle WebCenter Sites. Successful attacks of this vulnerability can result
  in takeover of Oracle WebCenter Sites. (CVE-2021-29505)

  - Component: WebCenter Sites (dojo)). The supported versions that are
  affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability
  allows unauthenticated attacker with network access via HTTP to compromise
  Oracle WebCenter Sites. Successful attacks of this vulnerability can result
  in unauthorized creation, deletion or modification access to critical data or
  all Oracle WebCenter Sites accessible data. (CVE-2020-5258)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported 
version");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2021.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2021 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-13990");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/10/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/10/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:webcenter_sites");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_webcenter_sites_installed.nbin", "oracle_enum_products_win.nbin");
  script_require_keys("SMB/WebCenter_Sites/Installed");

  exit(0);
}
include('vcf_extras_oracle_webcenter_sites.inc');

var app_info = vcf::oracle_webcenter_sites::get_app_info();

# neither patch updates revision number
var constraints = [
  {'min_version' : '12.2.1.3', 'fixed_version' : '12.2.1.3.211019'},
  {'min_version' : '12.2.1.4', 'fixed_version' : '12.2.1.4.211019'}
];

vcf::oracle_webcenter_sites::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);
VendorProductVersionCPE
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware
oraclewebcenter_sitescpe:/a:oracle:webcenter_sites

Related

ibm 88
redhatcve 6
osv 13
veracode 6
debiancve 6
nessus 28
prion 6
github 6
cve 6
ubuntucve 6
atlassian 5
mageia 3
rosalinux 2
symantec 1
oraclelinux 1
githubexploit 2
nuclei 1
seebug 1
redhat 2
centos 1
suse 2
debian 2
amazon 1
fedora 3
openvas 1
ibm
ibm
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Terracotta Quartz ( CVE-2019-13990)
2020-10-27 23:52:58
Security Bulletin: XStream (Publicly disclosed vulnerability)
2021-08-23 05:41:20
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Terracotta Quartz Scheduler
2020-08-29 08:57:53
redhatcve
redhatcve
CVE-2019-13990
2020-02-10 11:44:18
CVE-2021-26272
2022-05-20 22:50:58
CVE-2021-27906
2021-03-19 20:26:37
osv
osv
CVE-2019-13990
2019-07-26 19:15:11
Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4
2021-10-13 15:34:09
Uncontrolled Memory Allocation in Apache PDFBox
2021-05-13 22:30:13
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-01-27 05:34:12
XML External Entity (XXE)
2020-02-19 04:27:53
XML External Entity (XXE)
2019-10-24 07:13:29
debiancve
debiancve
CVE-2021-26272
2021-01-26 21:15:00
CVE-2021-27906
2021-03-19 16:15:00
CVE-2019-13990
2019-07-26 19:15:00
nessus
nessus
Atlassian JIRA Service Desk < 4.20.26 / 5.4.x < 5.4.10 / 5.5.x < 5.7.2 / 5.8.x < 5.8.2 / 5.9.x < 5.9.2 / 5.10.x < 5.10.1 (JSDSERVER-14401)
2023-10-20 00:00:00
NewStart CGSL CORE 5.05 / MAIN 5.05 : xstream Vulnerability (NS-SA-2022-0045)
2022-05-10 00:00:00
openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1995-1)
2021-07-16 00:00:00
prion
prion
Design/Logic Flaw
2019-07-26 19:15:00
Code injection
2021-03-19 16:15:00
Xxe
2019-10-23 20:15:00
github
github
XML external entity injection in Terracotta Quartz Scheduler
2020-07-01 17:55:03
Uncontrolled Memory Allocation in Apache PDFBox
2021-05-13 22:30:13
XStream is vulnerable to a Remote Command Execution attack
2021-05-18 18:36:27
cve
cve
CVE-2019-13990
2019-07-26 19:15:00
CVE-2021-29505
2021-05-28 21:15:00
CVE-2021-26272
2021-01-26 21:15:00
ubuntucve
ubuntucve
CVE-2019-13990
2019-07-26 00:00:00
CVE-2021-26272
2021-01-26 00:00:00
CVE-2019-12415
2019-10-23 00:00:00
atlassian
atlassian
Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505
2021-08-04 14:52:08
Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505
2021-08-04 14:52:08
XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990
2023-09-20 15:53:19
mageia
mageia
Updated quartz packages fix a security vulnerability
2021-03-15 00:20:42
Updated pdfbox packages fix security vulnerabilities
2021-04-12 22:59:59
Updated dojo packages fix security vulnerability
2020-05-27 12:52:46
rosalinux
rosalinux
Advisory ROSA-SA-2023-2272
2023-10-22 06:16:50
Advisory ROSA-SA-2023-2271
2023-10-22 06:15:20
symantec
symantec
Apache POI CVE-2019-12415 XML External Entity Information Disclosure Vulnerability
2019-10-23 00:00:00
oraclelinux
oraclelinux
xstream security update
2021-07-13 00:00:00
githubexploit
githubexploit
Exploit for Code Injection in Xstream Project Xstream
2021-06-08 05:27:57
Exploit for Code Injection in Linuxfoundation Dojo
2020-12-01 09:45:48
nuclei
nuclei
XStream <1.4.17 - Remote Code Execution
2023-03-12 03:38:05
seebug
seebug
XStream远程代码执行漏洞(CVE-2021-29505)
2021-05-17 00:00:00
redhat
redhat
(RHSA-2021:2683) Important: xstream security update
2021-07-12 07:29:15
(RHSA-2020:3247) Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update
2020-08-04 12:44:40
centos
centos
xstream security update
2021-07-13 21:13:30
suse
suse
Security update for xstream (important)
2021-07-11 00:00:00
Security update for xstream (important)
2021-06-24 00:00:00
debian
debian
[SECURITY] [DLA 2704-1] libxstream-java security update
2021-07-05 16:43:05
[SECURITY] [DLA 2139-1] dojo security update
2020-03-11 19:14:41
amazon
amazon
Important: xstream
2021-08-04 20:32:00
fedora
fedora
[SECURITY] Fedora 34 Update: pdfbox-2.0.23-1.fc34
2021-03-26 00:18:10
[SECURITY] Fedora 32 Update: pdfbox-2.0.23-1.fc32
2021-03-30 14:30:44
[SECURITY] Fedora 33 Update: pdfbox-2.0.23-1.fc33
2021-03-30 14:31:17
openvas
openvas
Debian LTS: Security Advisory for dojo (DLA-2139-1)
2020-03-18 00:00:00

7.3 High

AI Score

Confidence

High

JSON
Related for ORACLE_WEBCENTER_SITES_OCT_2021_CPU.NASL
ibm88redhatcve6osv13veracode6debiancve6nessus28prion6github6cve6ubuntucve6atlassian5mageia3rosalinux2symantec1oraclelinux1githubexploit2nuclei1seebug1redhat2centos1suse2debian2amazon1fedora3openvas1