CVE-2019-2438

Vulnerability in the Oracle Web Cache component of Oracle Fusion Middleware (subcomponent: ESI/Partial Page Caching). The supported version that is affected is 11.1.1.9.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Cache. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Web Cache, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Web Cache accessible data as well as unauthorized update, insert or delete access to some of Oracle Web Cache accessible data. CVSS 3.0 Base Score 6.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVSS v3 6.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Exploitability : 1.6 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/106612	Third Party Advisory VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/106612	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:web_cache:11.1.1.9.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:40

Type	Values Removed	Values Added
References	~~() http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Vendor Advisory~~	() http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Vendor Advisory
References	~~() http://www.securityfocus.com/bid/106612 - VDB Entry, Third Party Advisory~~	() http://www.securityfocus.com/bid/106612 - Third Party Advisory, VDB Entry

Information

Published : 2019-01-16 19:30

Updated : 2024-11-21 04:40

NVD link : CVE-2019-2438

Mitre link : CVE-2019-2438

CVE.ORG link : CVE-2019-2438

JSON object : View

Products Affected

oracle

web_cache

CWE

NVD-CWE-noinfo

{"id": "CVE-2019-2438", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.6}]}, "published": "2019-01-16T19:30:32.157", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "tags": ["Patch", "Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securityfocus.com/bid/106612", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert_us@oracle.com"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/106612", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Web Cache component of Oracle Fusion Middleware (subcomponent: ESI/Partial Page Caching). The supported version that is affected is 11.1.1.9.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Cache. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Web Cache, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Web Cache accessible data as well as unauthorized update, insert or delete access to some of Oracle Web Cache accessible data. CVSS 3.0 Base Score 6.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Oracle Web Cache de Oracle Fusion Middleware (subcomponente: ESI/Partial Page Caching). La versi\u00f3n soportada afectada es la 11.1.1.9.0. Una vulnerabilidad dif\u00edcilmente explotable permite que un atacante sin autenticar que tenga acceso a red por HTTP comprometa la seguridad de Oracle Web Cache. Para que los ataques tengan \u00e9xito, se necesita la participaci\u00f3n de otra persona diferente del atacante y, aunque la vulnerabilidad est\u00e1 presente en Oracle Web Cache, los ataques podr\u00edan afectar ligeramente a productos adicionales. Los ataques exitosos de esta vulnerabilidad pueden resultar en un acceso no autorizado a datos confidenciales o un acceso completo a todos los datos accesibles de Oracle Web Cache, actualizaci\u00f3n, inserci\u00f3n o eliminaci\u00f3n de acceso sin autorizaci\u00f3n de algunos de los datos accesibles de Oracle Web Cache. CVSS 3.0 Base Score 6.9 (impactos en la confidencialidad e integridad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N)."}], "lastModified": "2024-11-21T04:40:52.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:web_cache:11.1.1.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8ACF75A-939D-44DB-A9D0-F31D2ADFA97D"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}

6.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.0 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-2438

6.9^/10

4.0^/10

Attach tags to `CVE-2019-2438`