CVE-2018-16959

{"id": "CVE-2018-16959", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-09-18T02:29:01.183", "references": [{"url": "http://www.securityfocus.com/bid/105350", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2018/Sep/22", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support."}, {"lang": "es", "value": "Se ha descubierto un problema en Oracle WebCenter Interaction Portal 10.3.3. El componente portal se entrega con una configuraci\u00f3n de comunidad User Profile insegura por defecto que permite que usuarios an\u00f3nimos recuperen los nombres de cuenta de todos los usuarios mediante peticiones en /portal/server.pt/user/user/. Cuando se sincroniza WCI con Active Directory (AD), esta vulnerabilidad puede exponer los nombres de cuenta de todos los usuarios de AD. NOTA: este CVE ha sido asignado por MITRE y no est\u00e1 validado por Oracle debido a que Oracle WebCenter Interaction Portal ya no tiene soporte."}], "lastModified": "2018-12-06T14:47:32.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:webcenter_interaction:10.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09AF34F7-194B-4114-AE1D-3CE10946B074"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}