CVE-2022-21445

CRITICAL KEV

Oracle Application Development Framework - Insecure Deserialization

Title source: rule

Description

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec WRITEUP 3 stars
by hienkiet · remote
https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic
nomisec WORKING POC
by NeCr00 · poc
https://github.com/NeCr00/CVE-2022-21445

References (2)

Scores

CVSS v3 9.8
EPSS 0.9203
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2024-09-18
VulnCheck KEV 2023-10-08
InTheWild.io 2024-09-18
ENISA EUVD EUVD-2022-26669

Classification

CWE
CWE-502
Status published

Affected Products (2)

oracle/application_development_framework
oracle/application_development_framework

Timeline

Published Apr 19, 2022
KEV Added Sep 18, 2024
Tracked Since Feb 18, 2026