CVE-2014-2880

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/125992/Oracle-Identity-Manager-11g-R2-SP1-Unvalidated-Redirect.html
http://www.exploit-db.com/exploits/32670
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.osvdb.org/105384
http://www.securityfocus.com/bid/66615

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:identity_manager:11.1.2.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-04-17 14:55

Updated : 2024-02-04 18:35

NVD link : CVE-2014-2880

Mitre link : CVE-2014-2880

CVE.ORG link : CVE-2014-2880

JSON object : View

Products Affected

oracle

identity_manager

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2014-2880", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-04-17T14:55:12.357", "references": [{"url": "http://packetstormsecurity.com/files/125992/Oracle-Identity-Manager-11g-R2-SP1-Unvalidated-Redirect.html", "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/32670", "source": "cve@mitre.org"}, {"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/105384", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/66615", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin."}, {"lang": "es", "value": "Una vulnerabilidad de redireccionamiento abierto en el componente Oracle Identity Manager en Oracle Fusion Middleware versiones 11.1.1.5, 11.1.1.7, 11.1.2.1 y 11.1.2.2, permite a los atacantes remotos redireccionar a los usuarios a sitios web arbitrarios y realizar ataques de phishing mediante una URL en el par\u00e1metro backUrl en una acci\u00f3n changepwd en el archivo identity/faces/firstlogin."}], "lastModified": "2014-10-17T07:12:06.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:identity_manager:11.1.2.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23B5DF3D-AFF7-4B94-A779-8DEE44846EE1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}