CVE-2018-2879

CRITICAL

Oracle Fusion Middleware 11.1.2.3.0-12.2.1.3.0 - Unauthenticated RCE

Title source: llm

Description

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploits (3)

nomisec WORKING POC 25 stars
by redtimmy · poc
https://github.com/redtimmy/OAMBuster
nomisec WORKING POC 11 stars
by MostafaSoliman · poc
https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit
nomisec WORKING POC 7 stars
by AymanElSherif · poc
https://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploit

References (8)

Scores

CVSS v3 9.0
EPSS 0.4445
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

Status published
Products (2)
oracle/access_manager 11.1.2.3.0
oracle/access_manager 12.2.1.3.0
Published Apr 19, 2018
Tracked Since Feb 18, 2026