CVE-2018-2674 : Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracle Financia

Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracle Financial Services Applications (subcomponent: Logoff). Supported versions that are affected are 12.0.2 and 12.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Direct Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Direct Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Direct Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Direct Banking accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Published 2018-01-18 02:29:23

Updated 2019-10-03 00:03:26

Source Oracle

View at NVD, CVE.org

Products affected by CVE-2018-2674

Oracle » Flexcube Direct Banking » Version: 12.0.3
cpe:2.3:a:oracle:flexcube_direct_banking:12.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Direct Banking » Version: 12.0.2
cpe:2.3:a:oracle:flexcube_direct_banking:12.0.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-2674

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-2674

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

References for CVE-2018-2674

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Oracle Critical Patch Update - January 2018
Patch

CVEs referencing this url
http://www.securitytracker.com/id/1040214

Oracle Financial Services Applications Multiple Bugs Let Remote Users Access and Modify Data and Remote Authenticated Users Deny Service and Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/102686

Oracle FLEXCUBE Direct Banking CVE-2018-2674 Remote Security Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-2674

Products affected by CVE-2018-2674

Exploit prediction scoring system (EPSS) score for CVE-2018-2674

CVSS scores for CVE-2018-2674

References for CVE-2018-2674