Synced 17 Jun 2026 22:27 UTC Account
← All products

CVE-2022-21587

CRITICAL severity · CVSS 9.8 · Missing authentication · actively exploited (CISA KEV)
9.8CVSS CRITICAL exploited ransomware
Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Known use in ransomware campaigns. Added to KEV 2023-02-02. US federal agencies must patch by 2023-02-23.

Summary

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)98%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

E-Business Suite

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

Official patch: https://www.oracle.com/security-alerts/cpuoct2022.html ↗

Additional information