SB2025071673 - Multiple vulnerabilities in Oracle Data Integrator
Published: July 16, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2024-8184)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the ThreadLimitHandler.getRemote() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Out-of-bounds write (CVE-ID: CVE-2022-45693)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack..
The vulnerability exists due to a boundary error when processing data passed via the map parameter. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.3) Path traversal (CVE-ID: CVE-2025-27553)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing double dots, e.g. ".." in file names. A remote attacker can view files outside of the current scope.
4) Improper access control (CVE-ID: CVE-2025-48734)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Remediation
Install update from vendor's website.