CVE-2022-21445

CRITICAL KEV

Oracle Application Development Framework - Insecure Deserialization

Title source: rule

Description

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec WRITEUP 3 stars

by hienkiet · remote

https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic

View Code ZIP pw:eip

nomisec WORKING POC

by NeCr00 · poc

https://github.com/NeCr00/CVE-2022-21445

View Code ZIP pw:eip

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21445

Scores

CVSS v3 9.8

EPSS 0.9203

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-09-18

VulnCheck KEV 2023-10-08

InTheWild.io 2024-09-18

ENISA EUVD EUVD-2022-26669

CWE

CWE-502

Status published

Products (2)

oracle/application_development_framework 12.2.1.3.0

oracle/application_development_framework 12.2.1.4.0

Published Apr 19, 2022

KEV Added Sep 18, 2024

Tracked Since Feb 18, 2026