Back to KEVs

CVE-2022-21587

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are...

Basic Information

CVE State: PUBLISHED
Reserved Date: November 15, 2021
Published Date: October 18, 2022
Last Updated: September 25, 2024
Vendor: Oracle Corporation
Product: Web Applications Desktop Integrator
Description: Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-02-02 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-02-22 08:00:38 UTC) Source
Used in Malware: Yes (added 2023-02-02 00:00:00 UTC) Source

References

https://www.oracle.com/security-alerts/cpuoct2022.html http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-02-02 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/oracle_ebs_rce_cve_2022_21587.rb	2025-04-29 11:01:14 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-21587.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

oracle_ebs_rce_cve_2022_21587

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-21587

sahabrifki/CVE-2022-21587-Oracle-EBS-

Type: github • Created: 2023-03-03 12:56:58 UTC • Stars: 5

This script is used for automating exploit for Oracle Ebussiness (EBS) for CVE 2022-21587 ( Unauthenticated File Upload For Remote Code Execution)

rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit

Type: github • Created: 2023-02-22 08:00:38 UTC • Stars: 1

Oracle E-BS CVE-2022-21587 Exploit

hieuminhnv/CVE-2022-21587-POC

Type: github • Created: 2023-02-06 04:18:24 UTC • Stars: 13

CVE-2022-21587 POC