Lucene search

K
zdiRgodZDI-16-035
HistoryJan 25, 2016 - 12:00 a.m.

Oracle Application Testing Suite Authentication Bypass Vulnerability

2016-01-2500:00:00
rgod
www.zerodayinitiative.com
19

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.921 High

EPSS

Percentile

99.0%

This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Oracle Application Testing Suite. The specific flaw exists within the isAllowedUrl() function used for the admin pages. This function has a list of URI entries which do not require authentication. Because the function only checks to see if a URI starts with one of these entries, an attacker can use directory traversal in the URI to gain access to all of the exposed administrator functionality.

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.921 High

EPSS

Percentile

99.0%