SB2024041798 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024041798

SB2024041798 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: April 17, 2024 Updated: February 21, 2025

Security Bulletin ID SB2024041798
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 57% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2024-21097)

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in PeopleSoft Enterprise PeopleTools. A remote privileged user can exploit this vulnerability to gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2024-21070)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Search Framework component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


3) Improper input validation (CVE-ID: CVE-2022-24613)

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the OpenSearch (metadata-extractor) component in PeopleSoft Enterprise PeopleTools. A local non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2024-21065)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Workflow component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Excessive Iteration (CVE-ID: CVE-2023-4043)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. A remote attacker can trigger excessive iteration and perform a denial of service (DoS) attack.


6) Input validation error (CVE-ID: CVE-2023-4807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.


7) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).


Remediation

Install update from vendor's website.

References