SB2025071678 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025071678

SB2025071678 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: July 16, 2025

Security Bulletin ID SB2025071678
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 40% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2024-9143)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when using the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. A remote attacker can send specially crafted input to the server, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

Note, the vulnerability can be exploited against the application in rare cases only that involve "exotic" curve encoding.


2) Improper input validation (CVE-ID: CVE-2025-30747)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Path traversal (CVE-ID: CVE-2025-23084)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to input validation error in path.join API when processing drive names in the Windows environment. A local user with ability to alter Windows drive names can escalate privileges on the system.


4) Improper input validation (CVE-ID: CVE-2025-30748)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Input validation error (CVE-ID: CVE-2025-24970)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in SslHandler when using native SSLEngine. A remote attacker can send a specially crafted packet to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References