CVE-2022-21591 Oracle Transportation Management is vulnerable to attacks in 6.4.3 and 6.5.1 versions.

Vulnerable versions of Oracle Transportation Management are 6.4.3 and 6.5.1. These versions are prior to the fix for the above mentioned vulnerability and thus are vulnerable to the following attack: Vulnerable software versions 6.4.3 and 6.5.1 can be exploited to perform SQL injection attacks against the Oracle Transportation Management. Exploiting this vulnerability results in the attacker being able to escalate privileges and gain access to critical system data. Note: 6.4.3 and 6.5.1 are the only versions of Oracle Transportation Management that are affected by the vulnerability described in this advisory. What should I do? Update to a patched version as soon as possible. In order to avoid possible exploitation, always keep your software up-to-date.

References https://www.oracle.com/us/technologies/security-vulnerabilities/tms-2022-21591.html

To avoid exploitation of this vulnerability, keep your software up to date with the newest patches from Oracle.

SQL Injection Exploitation Scenarios

The vulnerability can be exploited to gain access to critical system data. One of the scenarios that could be leveraged is the following:
1. The attacker logs in as user "sa" and uses a valid password hash such as SHA-256(password)
2. SQL injection attack against Oracle Transportation Management
3. Exploiting CVE-2022-21591 results in the attacker being able to escalate privileges and gain access to critical system data

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References