Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
HTTP-reachable, unauthenticated, no UI per Oracle; high confidentiality and DoS impact, no integrity change, no scope change beyond the Tools tier.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
AnalysisAI
Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
JD Edwards EnterpriseOne Tools is the runtime and administrative tier of Oracle's JDE ERP suite, providing the web-facing infrastructure (HTML Server, Server Manager, Enterprise Server connectivity) that fronts business logic and data for finance, HR, and supply chain modules. The flaw resides in the Enterprise Infrastructure Security component, which handles authentication, session, and access-control plumbing for HTTP-facing services. While no CWE is assigned, the tag 'Authentication Bypass' combined with a PR:N / C:H / I:N / A:H profile is consistent with a flaw that lets requests reach protected functionality without valid credentials, exposing data reads and resource-exhaustion paths but not write/integrity operations.
RemediationAI
Apply Patch available per vendor advisory - install the fixes shipped in Oracle's June 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses JD Edwards EnterpriseOne Tools through 9.2.26.2; Oracle does not publish a discrete fixed version number in the public advisory, so confirm the target Tools release via My Oracle Support before scheduling. Until patching is complete, restrict HTTP and HTTPS access to JDE Tools components (HTML Server, Server Manager, JAS) to trusted management networks via firewall or reverse-proxy ACLs, place the web tier behind an authenticating reverse proxy or VPN, and disable any internet exposure of the administrative endpoints - be aware this will break partner integrations and remote employee access that rely on direct HTTP reachability. Increase monitoring on the Enterprise Infrastructure Security component logs for anomalous unauthenticated requests and sudden process hangs or crashes consistent with the DoS impact.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37229