Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-0491

Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for Web Apps. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that the UploadFileAction servlet allows remote authenticated users to upload and execute arbitrary files via an * (asterisk) character in the fileType parameter.

Published

2016-01-21T03:00:39.387

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	oracle	application_testing_suite	12.4.0.2	Yes
Application	oracle	application_testing_suite	12.5.0.2	Yes

References

http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.html Exploit ([email protected])
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html Patch, Vendor Advisory ([email protected])
http://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_upload Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/81169 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1034734 Third Party Advisory, VDB Entry ([email protected])
http://www.zerodayinitiative.com/advisories/ZDI-16-047 Third Party Advisory, VDB Entry ([email protected])
https://www.exploit-db.com/exploits/39691/ Exploit, Third Party Advisory, VDB Entry ([email protected])
https://www.exploit-db.com/exploits/39852/ Exploit, Third Party Advisory, VDB Entry ([email protected])
http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.html Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_upload Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/81169 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1034734 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.zerodayinitiative.com/advisories/ZDI-16-047 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/39691/ Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/39852/ Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)