Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory.
AnalysisAI
Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.
Technical ContextAI
Oracle OCI CLI is a command-line interface tool for managing Oracle Cloud Infrastructure resources. The vulnerability resides in the file import functionality, where insufficient path validation permits directory traversal attacks. When a user imports a file (likely through a specific CLI command or configuration loading mechanism), an attacker can craft a malicious import source that bypasses directory restrictions and places files outside the designated import directory. This is a classic path traversal vulnerability (CWE category, though not explicitly numbered in available data) affecting file handling logic. The attack vector is local (AV:L) rather than network-based, suggesting the vulnerability requires either direct filesystem access or interaction with a local user who initiates the import action.
RemediationAI
Upgrade Oracle OCI CLI to a patched version released after 3.77. Consult Oracle's official security advisory at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html for the specific patched version number and upgrade instructions. As an interim compensating control, restrict the use of the OCI CLI import functionality to trusted users and audit all file import operations through logging or file integrity monitoring. Disable or restrict access to the import feature if it is not essential for your operations. Additionally, monitor the import directory and parent directories for unexpected file creation or modification, particularly files with unexpected ownership or permissions. Educate users not to import files from untrusted sources and to verify the integrity and origin of any imported configuration files before use.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27534
GHSA-x8v7-mg93-8rrg