Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The 19c and 21c versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory.

  - Vulnerability in the Oracle Database - Machine Learning (Numpy) component of Oracle Database Server. The     supported version that is affected is 21c. Easily exploitable vulnerability allows low privileged attacker     having Create Session privilege with network access via Oracle Net to compromise Oracle Database - Machine     Learning (Numpy). (CVE-2021-41495)  

  - Vulnerability in the Spatial and Graph (jackson-databind) component of Oracle Database Server. Supported     versions that are affected are 19c and 21c. Easily exploitable vulnerability allows low privileged attacker     having Authenticated User privilege with network access via HTTP to compromise Spatial and     Graph (jackson-databind). Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Spatial and Graph (jackson-databind).
    (CVE-2020-36518)

  - Vulnerability in the Oracle Notification Server (PCRE2) component of Oracle Database Server. Supported     versions that are affected are 19c and 21c. Easily exploitable vulnerability allows low privileged     attacker having Subscriber privilege with network access via HTTP to compromise Oracle Notification     Server (PCRE2). Successful attacks of this vulnerability can result in unauthorized ability to cause     a hang or frequently repeatable crash (complete DOS) of Oracle Notification Server (PCRE2).
    Note: This vulnerability applies to Windows systems only. (CVE-2022-1587)

  - Vulnerability in the Oracle Database - Advanced Queuing component of Oracle Database Server. The supported     version that is affected is 19c. Easily exploitable vulnerability allows high privileged attacker having     DBA user privilege with network access via Oracle Net to compromise Oracle Database - Advanced Queuing.
    Successful attacks of this vulnerability can result in takeover of Oracle Database - Advanced Queuing.
    (CVE-2022-21596)

  - Vulnerability in the Oracle Database - Sharding component of Oracle Database Server. Supported versions     that are affected are 19c and 21c. Easily exploitable vulnerability allows high privileged attacker having     Local Logon privilege with network access via Local Logon to compromise Oracle Database - Sharding.
    Successful attacks of this vulnerability can result in takeover of Oracle Database - Sharding.
    (CVE-2022-21603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Process Management Suite installed on the remote host is affected by the following vulnerabilities as referenced in the October 2020 CPU advisory:  

  - Vulnerability in the Runtime Engine (Application Development Framework). An unauthenticated, remote     attacker with network access via HTTP can exploit this issue to compromise the Oracle Business Process     Management Suite. Successful attacks require human interaction from a person other than the attacker and     while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact     additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized     read access to a subset of Oracle Business Process Management Suite accessible data. (CVE-2019-2904)

  - Vulnerability in the Runtime Engine (Apache Ant). An authenticated, local attacker can exploit this issue     to compromise the Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in unauthorized creation, deletion or modification access to critical data or all Oracle Business     Process Management Suite accessible data as well as unauthorized access to critical data or complete     access to all Oracle Business Process Management Suite accessible data. (CVE-2020-1945)

  - Vulnerability in the Runtime Engine (jQuery). An unauthenticated, remote attacker with network access via     HTTP can exploit this issue to compromise Oracle Business Process Management Suite. Successful attacks     require human interaction from a person other than the attacker and while the vulnerability is in Oracle     Business Process Management Suite, attacks may significantly impact additional products. Successful     attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle     Business Process Management Suite accessible data as well as unauthorized read access to a subset of     Oracle Business Process Management Suite accessible data. (CVE-2019-11358)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

ID	Name	Product	Family	Severity
166370	Oracle Database Server (Oct 2022 CPU)	Nessus	Databases	critical
142210	Oracle Business Process Management Suite (Oct 2020 CPU)	Nessus	Misc.	critical
133260	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Misc.	critical

Detections

Analytics

CVE-2019-2904

critical

Tenable Plugins

critical

critical

critical