SB20240718112 - Multiple vulnerabilities in Oracle Global Lifecycle Management NextGen OUI Framework

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240718112

SB20240718112 - Multiple vulnerabilities in Oracle Global Lifecycle Management NextGen OUI Framework

Published: July 18, 2024

Security Bulletin ID SB20240718112
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Incorrect default permissions (CVE-ID: CVE-2023-2976)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.


2) Resource exhaustion (CVE-ID: CVE-2024-29857)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Link following (CVE-ID: CVE-2023-4759)

The vulnerability allows a remote attacker to overwrite files on the system.

The vulnerability exists due to an insecure link following. A remote attacker can place a specially crafted symbolic link into the repository, trick the victim into cloning it and overwrite arbitrary files on the system.


Remediation

Install update from vendor's website.

References