CVE-2021-35587 Oracle Access Manager Vulnerability

Vulnerability

CVE-2021-35587


Description

  • POC for CVE-2021-35587: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
  • create by antx at 2022-03-14.

Detail

  • Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent).
  • Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
  • Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.

CVE Severity

  • attackComplexity: LOW
  • attackVector: NETWORK
  • availabilityImpact: HIGH
  • confidentialityImpact: HIGH
  • integrityImpact: HIGH
  • privilegesRequired: NONE
  • scope: UNCHANGED
  • userInteraction: NONE
  • version: 3.1
  • baseScore: 9.8
  • baseSeverity: CRITICAL

Affect

  • Access Manager
    • 11.1.2.3.0
    • 12.2.1.3.0
    • 12.2.1.4.0

POC

https://github.com/antx-code/CVE-2021-35587/blob/main/CVE-2021-35587.py

Reference

The CVE-2021-35587 Guide Patterns is a github repository by antx