CVE-2021-35587 Oracle Access Manager Vulnerability

Stella Sebastian March 21, 2022

superior_hosting_service

Vulnerability

CVE-2021-35587

Description

POC for CVE-2021-35587: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
create by antx at 2022-03-14.

Detail

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent).
Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.

CVE Severity

attackComplexity: LOW
attackVector: NETWORK
availabilityImpact: HIGH
confidentialityImpact: HIGH
integrityImpact: HIGH
privilegesRequired: NONE
scope: UNCHANGED
userInteraction: NONE
version: 3.1
baseScore: 9.8
baseSeverity: CRITICAL

Affect

Access Manager
- 11.1.2.3.0
- 12.2.1.3.0
- 12.2.1.4.0

POC

https://github.com/antx-code/CVE-2021-35587/blob/main/CVE-2021-35587.py

Reference

Ref-Source
- Oracle Access Manager pre-authentication Remote Code Execution CVE-2020-35587
- Nuclei POC <CVE-2021-35587>
Ref-Risk
- NVD<CVE-2021-35587>
CVE
- CVE-2021-35587
- NVD<CVE-2021-35587>
Ref-Poc-Engine
- pocx

The CVE-2021-35587 Guide Patterns is a github repository by antx

Open Source Security Guide

Tags: attacker bug hunter bugbounty CVE CVE-2021-35587 exploit Hacking Nuclei Oracle Vulnerability

Stella Sebastian March 21, 2022