CVE-2025-61884
BaseFortify
Publication date: 2025-10-12
Last updated on: 2025-10-27
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | configurator | From 12.2.3 (inc) to 12.2.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-501 | The product mixes trusted and untrusted data in the same data structure or structured message. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61884 is a security vulnerability in the Oracle Configurator Runtime UI component of Oracle E-Business Suite versions 12.2.3 through 12.2.14. It allows an unauthenticated attacker to remotely exploit the system over a network via HTTP without needing any credentials or user interaction. The vulnerability can lead to unauthorized access to sensitive data within Oracle Configurator. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized access to critical or sensitive data within the Oracle Configurator environment. Although it does not affect data integrity or system availability, the confidentiality impact is high, meaning sensitive information could be exposed to unauthorized parties. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the provided security updates or mitigations from Oracle immediately. Ensure your Oracle E-Business Suite versions are under Premier or Extended Support to receive patches. If your versions are outside these support phases, consider upgrading to supported versions. Additionally, apply all Security Alerts and Critical Patch Updates promptly to maintain security. [1]