{"api_version":"1","generated_at":"2026-04-23T04:12:09+00:00","cve":"CVE-2022-21587","urls":{"html":"https://cve.report/CVE-2022-21587","api":"https://cve.report/api/cve/CVE-2022-21587.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-21587","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-21587"},"summary":{"title":"CVE-2022-21587","description":"Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).","state":"PUBLIC","assigner":"secalert_us@oracle.com","published_at":"2022-10-18 21:15:00","updated_at":"2023-08-08 14:21:00"},"problem_types":["CWE-306"],"metrics":[],"references":[{"url":"https://www.oracle.com/security-alerts/cpuoct2022.html","name":"https://www.oracle.com/security-alerts/cpuoct2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html","name":"http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html","refsource":"MISC","tags":[],"title":"Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-21587","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21587","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"21587","vulnerable":"1","versionEndIncluding":"12.2.11","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"e-business_suite","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2022","cve_id":"21587","cve":"CVE-2022-21587","vendorProject":"Oracle","product":"E-Business Suite","vulnerabilityName":"Oracle E-Business Suite Unspecified Vulnerability","dateAdded":"2023-02-02","shortDescription":"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2023-02-23","knownRansomwareCampaignUse":"Known","notes":"https://www.oracle.com/security-alerts/cpuoct2022.html;  https://nvd.nist.gov/vuln/detail/CVE-2022-21587","cwes":"CWE-306","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:10"},"epss":{"cve_year":"2022","cve_id":"21587","cve":"CVE-2022-21587","epss":"0.943970000","percentile":"0.999740000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[{"cve":"CVE-2022-21587","qid":"20324","title":"Oracle E-Business Suite Remote Code Execution (RCE) Vulnerability (CPUOCT2022)"},{"cve":"CVE-2022-21587","qid":"377792","title":"Oracle E-Business Suite Remote Code Execution (RCE) Vulnerability (CPUOCT2022)"},{"cve":"CVE-2022-21587","qid":"730670","title":"Oracle E-Business Suite Multiple Security Vulnerabilities (CPUOCT2022)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secalert_us@oracle.com","ID":"CVE-2022-21587","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Web Applications Desktop Integrator","version":{"version_data":[{"version_value":"12.2.3-12.2.11","version_affected":"="}]}}]},"vendor_name":"Oracle Corporation"}]}},"description":{"description_data":[{"lang":"eng","value":"Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}]},"impact":{"cvss":{"baseScore":"9.8","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.  Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator."}]}]},"references":{"reference_data":[{"url":"https://www.oracle.com/security-alerts/cpuoct2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2022.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html","url":"http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html"}]}},"nvd":{"publishedDate":"2022-10-18 21:15:00","lastModifiedDate":"2023-08-08 14:21:00","problem_types":["CWE-306"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*","versionStartIncluding":"12.2.3","versionEndIncluding":"12.2.11","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"21587","Ordinal":"221219","Title":"CVE-2022-21587","CVE":"CVE-2022-21587","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"21587","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}