Skip to main content

Api Gateway CVE-2017-3601

HIGH
2017-04-24 secalert_us@oracle.com
8.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 24, 2017 - 19:59 cve.org
HIGH 8.1

DescriptionCVE.org

Vulnerability in the Oracle API Gateway component of Oracle Fusion Middleware (subcomponent: Oracle API Gateway). The supported version that is affected is 11.1.2.4.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle API Gateway. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle API Gateway accessible data as well as unauthorized access to critical data or complete access to all Oracle API Gateway accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

AnalysisAI

Vulnerability in the Oracle API Gateway component of Oracle Fusion Middleware (subcomponent: Oracle API Gateway). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

Vulnerability in the Oracle API Gateway component of Oracle Fusion Middleware (subcomponent: Oracle API Gateway). The supported version that is affected is 11.1.2.4.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle API Gateway. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle API Gateway accessible data as well as unauthorized access to critical data or complete access to all Oracle API Gateway accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Affected products include: Oracle Api Gateway.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2019-15631 CRITICAL
9.8 Dec 02

Remote Code Execution vulnerability in MuleSoft Mule CE/EE 3.x and API Gateway 2.x released before October 31, 2019 allo

CVE-2018-1000613 CRITICAL
9.8 Jul 09

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contain

CVE-2018-5407 MEDIUM POC
4.7 Nov 15

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks

CVE-2020-11979 HIGH
7.5 Oct 01

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the

CVE-2019-15630 HIGH
7.5 Aug 30

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher

CVE-2018-1000180 HIGH
7.5 Jun 05

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key p

CVE-2016-3118 MEDIUM
6.5 Apr 06

CRLF injection vulnerability in CA API Gateway (formerly Layer7 API Gateway) 7.1 before 7.1.04, 8.0 through 8.3 before 8

CVE-2015-3195 MEDIUM
5.3 Dec 06

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 bef

CVE-2020-1971 MEDIUM
5.9 Dec 08

The X.509 GeneralName type is a generic type for representing different types of names. Rated medium severity (CVSS 5.9)

CVE-2019-1559 MEDIUM
5.9 Feb 27

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, an

CVE-2018-0734 MEDIUM
5.9 Oct 30

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. Rated medium severi

Share

CVE-2017-3601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy