CVE-2021-35587

CVE-2021-35587 copied to clipboard

• CVE-2021-35587

** Description - POC for CVE-2021-35587: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. - create by antx at 2022-03-14.

** Detail - Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. - Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.

** CVE Severity - attackComplexity: LOW - attackVector: NETWORK - availabilityImpact: HIGH - confidentialityImpact: HIGH - integrityImpact: HIGH - privilegesRequired: NONE - scope: UNCHANGED - userInteraction: NONE - version: 3.1 - baseScore: 9.8 - baseSeverity: CRITICAL

** Affect - Access Manager - 11.1.2.3.0 - 12.2.1.3.0 - 12.2.1.4.0

** POC - [[./CVE-2021-35587.py][Poc]]

** Reference - Ref-Source - [[https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316][Oracle Access Manager pre-authentication Remote Code Execution CVE-2020-35587]] - [[https://github.com/cckuailong/reapoc/blob/4eb15938ed9f44aa7db47fdbb88bc45f556b02bb/2021/CVE-2021-35587/poc/nuclei/CVE-2021-35587.yaml][Nuclei POC <CVE-2021-35587>]] - Ref-Risk - [[https://nvd.nist.gov/vuln/detail/CVE-2021-35587][NVD<CVE-2021-35587>]] - CVE - [[https://github.com/CVEProject/cvelist/blob/master/2021/35xxx/CVE-2021-35587.json][CVE-2021-35587]] - [[https://nvd.nist.gov/vuln/detail/CVE-2021-35587][NVD<CVE-2021-35587>]] - Ref-Poc-Engine - [[https://github.com/antx-code/pocx][pocx]]