CVE-2017-3555

Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iReceivables. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Vendor Advisory
http://www.securityfocus.com/bid/97757	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038299
https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Vendor Advisory
http://www.securityfocus.com/bid/97757	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038299
https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:ireceivables:12.1.1:::::::*
	cpe:2.3:a:oracle:ireceivables:12.1.2:::::::*
	cpe:2.3:a:oracle:ireceivables:12.1.3:::::::*
	cpe:2.3:a:oracle:ireceivables:12.2.3:::::::*
	cpe:2.3:a:oracle:ireceivables:12.2.4:::::::*
	cpe:2.3:a:oracle:ireceivables:12.2.5:::::::*
	cpe:2.3:a:oracle:ireceivables:12.2.6:::::::*

History

21 Nov 2024, 03:25

Type	Values Removed	Values Added
References	~~() http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - Vendor Advisory~~	() http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - Vendor Advisory
References	~~() http://www.securityfocus.com/bid/97757 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/97757 - Third Party Advisory, VDB Entry
References	~~() http://www.securitytracker.com/id/1038299 -~~	() http://www.securitytracker.com/id/1038299 -
References	~~() https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/ -~~	() https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/ -

Information

Published : 2017-04-24 19:59

Updated : 2025-04-20 01:37

NVD link : CVE-2017-3555

Mitre link : CVE-2017-3555

CVE.ORG link : CVE-2017-3555

JSON object : View

Products Affected

oracle

ireceivables

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2017-3555", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-04-24T19:59:04.613", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "tags": ["Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securityfocus.com/bid/97757", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securitytracker.com/id/1038299", "source": "secalert_us@oracle.com"}, {"url": "https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/", "source": "secalert_us@oracle.com"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/97757", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1038299", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iReceivables. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}, {"lang": "es", "value": "Vulnerabilidad en el Oracle iReceivables component of Oracle E-Business Suite (subcomponente: Self Registration). Versiones compatibles que son afectadas son 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 y 12.2.6. Vulnerabilidad f\u00e1cilmente explotable permite a atacante no autenticado con acceso a la red v\u00eda HTTP para comprometer Oracle iReceivables. Los ataques exitosos de esta vulnerabilidad pueden resultar en capacidad no autorizada para causar un bloqueo o una ca\u00edda repetible de frecuencia (complete DOS) de Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Impactos de disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:ireceivables:12.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DA5DA47-8106-4480-89F8-CD6A1795688E"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98D89765-DE4B-4DD2-8B01-98FE03AE1BAC"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A02E657-C4F5-4057-9BD7-BA878E531427"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB9BE281-8439-4764-A6BB-757DA40C4FC3"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73B5945A-90FE-45FA-81FC-AEADAEAFA45D"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.2.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F88A69CC-331F-45CB-B3D9-F8FFED25BEB4"}, {"criteria": "cpe:2.3:a:oracle:ireceivables:12.2.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "316B1830-5C0D-4444-AB79-85AC9AA19ACF"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2017-3555

7.5^/10

5.0^/10

Attach tags to `CVE-2017-3555`