CVE-2016-8319 : Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponen

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 12.0.1, 12.0.2,12.0.4,12.1.0 and 12.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Investor Servicing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data. CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts).

Published 2017-01-27 22:59:02

Updated 2017-02-11 02:59:04

Source Oracle

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2016-8319

Probability of exploitation activity in the next 30 days: 0.13%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 47 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-8319

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2016-8319

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-8319

http://www.securityfocus.com/bid/95514

Oracle FLEXCUBE Investor Servicing CVE-2016-8319 Remote Security Vulnerability
Third Party Advisory;VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Oracle Critical Patch Update - January 2017
Patch;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1037636

Oracle Financial Services Applications Multiple Flaws Let Remote and Local Users Access and Modify Data and Let Remote Users Deny Service - SecurityTracker

CVEs referencing this url

Products affected by CVE-2016-8319

Oracle » Flexcube Investor Servicing » Version: 12.0.1
cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Investor Servicing » Version: 12.0.2
cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Investor Servicing » Version: 12.1.0
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Investor Servicing » Version: 12.3.0
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Investor Servicing » Version: 12.0.4
cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-8319

Exploit prediction scoring system (EPSS) score for CVE-2016-8319

CVSS scores for CVE-2016-8319

CWE ids for CVE-2016-8319

References for CVE-2016-8319

Products affected by CVE-2016-8319