http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

105656

https://github.com/nahsra/antisamy/issues/10

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

CVE-2017-14735

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high