Vulnerability Details : CVE-2017-10273
Vulnerability in the Oracle JDeveloper component of Oracle Fusion Middleware (subcomponent: Deployment). Supported versions that are affected are 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0 and 12.2.1.2.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle JDeveloper executes to compromise Oracle JDeveloper. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle JDeveloper, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle JDeveloper accessible data as well as unauthorized read access to a subset of Oracle JDeveloper accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle JDeveloper. CVSS 3.0 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L).
Vulnerability category: Directory traversalDenial of service
Products affected by CVE-2017-10273
- cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:11.1.1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:11.1.2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:11.1.1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:12.2.1.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-10273
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-10273
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.7
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:P |
1.9
|
6.4
|
NIST | |
4.7
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L |
0.6
|
3.7
|
NIST |
CWE ids for CVE-2017-10273
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-10273
-
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - January 2018Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/102569
Oracle JDeveloper CVE-2017-10273 Local Security VulnerabilityThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/43848/
Oracle JDeveloper 11.1.x/12.x - Directory TraversalThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1040207
Oracle Fusion Middleware Product Flaws Let Remote Users Access and Modify Data and Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
Jump to