CVE-2020-2730 : Vulnerability in the Oracle Financial Services Revenue Management and Billing pr

Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Published 2020-01-15 17:15:29

Updated 2021-01-13 14:41:48

Source Oracle

View at NVD, CVE.org

Products affected by CVE-2020-2730

Oracle » Revenue Management And Billing » Version: 2.7.0.0
cpe:2.3:a:oracle:revenue_management_and_billing:2.7.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Revenue Management And Billing » Version: 2.7.0.1
cpe:2.3:a:oracle:revenue_management_and_billing:2.7.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Revenue Management And Billing » Version: 2.8.0.0
cpe:2.3:a:oracle:revenue_management_and_billing:2.8.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-2730

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 37 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-2730

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.9	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:N	6.8	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	Oracle
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-2730

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-2730

https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-2730

Products affected by CVE-2020-2730

Exploit prediction scoring system (EPSS) score for CVE-2020-2730

CVSS scores for CVE-2020-2730

CWE ids for CVE-2020-2730

References for CVE-2020-2730