CVE-2023-21924 - Vulnerability in Oracle Health Sciences InForm: Exploiting Privilege Escalation and Potential Data Theft

A recently discovered vulnerability in the Oracle Health Sciences InForm product of Oracle Health Sciences Applications (component: Core) has been disclosed with the reference number CVE-2023-21924. This vulnerability affects the supported versions of the software prior to 6.3.1.3 and prior to 7...1. The vulnerability is categorized as easily exploitable and allows a high privileged attacker with network access via HTTP to compromise the Oracle Health Sciences InForm application.

Before diving into the details, let's go through some references

- Original advisory by Oracle
- CVE-2023-21924 - NVD
- Oracle Health Sciences InForm support

Exploit Details

Successful exploitation of this vulnerability requires human interaction from someone other than the attacker. While the vulnerability primarily affects Oracle Health Sciences InForm, it could potentially impact additional products due to scope change in the application.

Attackers can exploit this vulnerability to gain unauthorized update, insert, or delete access to some of Oracle Health Sciences InForm accessible data. In addition, the exploitation allows unauthorized read access to a subset of Oracle Health Sciences InForm accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of the application.

CVSS 3.1 Base Score: 5.9 (Confidentiality, Integrity, and Availability impacts)

- CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Code Snippet

While the exploit code is not publicly available, the vulnerability lies within the Core component of Oracle Health Sciences InForm. An attacker with high privileges on the system and HTTP network access can exploit the vulnerability to manipulate the application data.

Mitigation

Oracle has already released patches for the affected versions of the software. It is highly recommended to upgrade your Oracle Health Sciences InForm product to the latest version (6.3.1.3 or 7...1) to mitigate the vulnerability and help protect your application data from unauthorized access.

If upgrading is not possible immediately, restrict access to only trusted and authorized users with high privileges to reduce the chance of exploitation.

Conclusion

The CVE-2023-21924 vulnerability poses a significant risk to organizations using Oracle Health Sciences InForm, as it allows unauthorized data manipulation and partial Denial of Service. It is crucial for administrators to apply the relevant security patches and updates to applications as soon as possible to protect sensitive data and maintain the confidentiality, integrity, and availability of the system.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/18/2023 20:37:00 UTC