{"id":14,"date":"2022-07-19T13:47:00","date_gmt":"2022-07-19T13:47:00","guid":{"rendered":"https:\/\/nobugescapes.com\/?p=14"},"modified":"2022-11-29T05:20:03","modified_gmt":"2022-11-29T05:20:03","slug":"pii-exposure-on-oracle-e-business-suite","status":"publish","type":"post","link":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/","title":{"rendered":"PII Exposure On Oracle E-Business Suite"},"content":{"rendered":"\n

Summary:<\/h3>\n\n\n\n

CVE-2022-21567<\/h4>\n\n\n\n

On 23 May 2022 I discovered and reported a security issue on one of Oracle Products “Oracle E-Business Suite” the vulnerability has been patched on the latest version Oracle security team recommend using the latest version.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Technical Description:<\/h3>\n\n\n\n

PII Exposure was found on “Oracle E-Business Suite” The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the “WORKLIST VACATION RULES” users with low privileged access are able to to use the “WORKLIST VACATION RULES” <\/p>\n\n\n\n

The security risk of the vulnerability is High with a CVSS (common vulnerability scoring system) count of 7.5
Exploitation of the web vulnerability requires a low privileged user account with restricted access
Successful exploitation of the vulnerability results in PII EXPOSURE of all users info.<\/p>\n\n\n\n

Proof of Concept (PoC):<\/h3>\n\n\n\n

1- User register an account on the system by navigating to the following directory \/OA_HTML\/ibeCAcpSSOReg.jsp<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

2- User complete the registration process<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

3- User return to the login page and login to the system<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

4- On the home page user navigate to the “Vacation Rules”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

5- User Create a new rule<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

6- User open the search option<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

7- Almost done, leave the input field empty then click on “Go”<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

Solution – Fix & Patch:<\/h3>\n\n\n\n

Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.<\/p>\n\n\n\n

Thanks for reading<\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: CVE-2022-21567 On 23 May 2022 I discovered and reported a security issue on one of Oracle Products “Oracle E-Business Suite” the vulnerability has been patched on the latest version Oracle security team recommend using the latest version. Technical Description: PII Exposure was found on “Oracle E-Business Suite” The issue allows an authenticated attacker to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[6,5,7],"yoast_head":"\nPII Exposure On Oracle E-Business Suite -<\/title>\n<meta name=\"description\" content=\"CVE-2022-21567 | PII Exposure was found on "Oracle E-Business Suite" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the "WORKLIST VACATION RULES" users with low privileged access are able to to use the "WORKLIST VACATION RULES"\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PII Exposure On Oracle E-Business Suite -\" \/>\n<meta property=\"og:description\" content=\"CVE-2022-21567 | PII Exposure was found on "Oracle E-Business Suite" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the "WORKLIST VACATION RULES" users with low privileged access are able to to use the "WORKLIST VACATION RULES"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-19T13:47:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-29T05:20:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nobugescapes.com\/wp-content\/uploads\/2022\/07\/Poc1-1-1024x246.png\" \/>\n<meta name=\"author\" content=\"Turki\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Turki\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/\",\"url\":\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/\",\"name\":\"PII Exposure On Oracle E-Business Suite -\",\"isPartOf\":{\"@id\":\"https:\/\/nobugescapes.com\/#website\"},\"datePublished\":\"2022-07-19T13:47:00+00:00\",\"dateModified\":\"2022-11-29T05:20:03+00:00\",\"author\":{\"@id\":\"https:\/\/nobugescapes.com\/#\/schema\/person\/57e251ce8a555429d986eddcc794e2be\"},\"description\":\"CVE-2022-21567 | PII Exposure was found on \\\"Oracle E-Business Suite\\\" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the \\\"WORKLIST VACATION RULES\\\" users with low privileged access are able to to use the \\\"WORKLIST VACATION RULES\\\"\",\"breadcrumb\":{\"@id\":\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/nobugescapes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PII Exposure On Oracle E-Business Suite\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/nobugescapes.com\/#website\",\"url\":\"https:\/\/nobugescapes.com\/\",\"name\":\"\",\"description\":\"No Bug Escapes\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/nobugescapes.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/nobugescapes.com\/#\/schema\/person\/57e251ce8a555429d986eddcc794e2be\",\"name\":\"Turki\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/nobugescapes.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4f25df09dc99e8e956c6f78fb406471d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4f25df09dc99e8e956c6f78fb406471d?s=96&d=mm&r=g\",\"caption\":\"Turki\"},\"sameAs\":[\"https:\/\/nobugescapes.com\"],\"url\":\"https:\/\/nobugescapes.com\/author\/turki\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PII Exposure On Oracle E-Business Suite -","description":"CVE-2022-21567 | PII Exposure was found on \"Oracle E-Business Suite\" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the \"WORKLIST VACATION RULES\" users with low privileged access are able to to use the \"WORKLIST VACATION RULES\"","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/","og_locale":"en_US","og_type":"article","og_title":"PII Exposure On Oracle E-Business Suite -","og_description":"CVE-2022-21567 | PII Exposure was found on \"Oracle E-Business Suite\" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the \"WORKLIST VACATION RULES\" users with low privileged access are able to to use the \"WORKLIST VACATION RULES\"","og_url":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/","article_published_time":"2022-07-19T13:47:00+00:00","article_modified_time":"2022-11-29T05:20:03+00:00","og_image":[{"url":"https:\/\/nobugescapes.com\/wp-content\/uploads\/2022\/07\/Poc1-1-1024x246.png"}],"author":"Turki","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Turki","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/","url":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/","name":"PII Exposure On Oracle E-Business Suite -","isPartOf":{"@id":"https:\/\/nobugescapes.com\/#website"},"datePublished":"2022-07-19T13:47:00+00:00","dateModified":"2022-11-29T05:20:03+00:00","author":{"@id":"https:\/\/nobugescapes.com\/#\/schema\/person\/57e251ce8a555429d986eddcc794e2be"},"description":"CVE-2022-21567 | PII Exposure was found on \"Oracle E-Business Suite\" The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the \"WORKLIST VACATION RULES\" users with low privileged access are able to to use the \"WORKLIST VACATION RULES\"","breadcrumb":{"@id":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/nobugescapes.com\/blog\/pii-exposure-on-oracle-e-business-suite\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nobugescapes.com\/"},{"@type":"ListItem","position":2,"name":"PII Exposure On Oracle E-Business Suite"}]},{"@type":"WebSite","@id":"https:\/\/nobugescapes.com\/#website","url":"https:\/\/nobugescapes.com\/","name":"","description":"No Bug Escapes","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nobugescapes.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/nobugescapes.com\/#\/schema\/person\/57e251ce8a555429d986eddcc794e2be","name":"Turki","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/nobugescapes.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4f25df09dc99e8e956c6f78fb406471d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4f25df09dc99e8e956c6f78fb406471d?s=96&d=mm&r=g","caption":"Turki"},"sameAs":["https:\/\/nobugescapes.com"],"url":"https:\/\/nobugescapes.com\/author\/turki\/"}]}},"_links":{"self":[{"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/posts\/14"}],"collection":[{"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/comments?post=14"}],"version-history":[{"count":12,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":226,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/posts\/14\/revisions\/226"}],"wp:attachment":[{"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/media?parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/categories?post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nobugescapes.com\/wp-json\/wp\/v2\/tags?post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}