9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.019 Low
EPSS
Percentile
88.8%
The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory:
Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (BSAFE Crypto-J)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite. (CVE-2022-34381)
Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (Apache Commons BCEL)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-42920)
Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (Apache Derby)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-46337)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(193571);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/22");
script_cve_id(
"CVE-2022-34381",
"CVE-2022-42920",
"CVE-2022-46337",
"CVE-2023-1370"
);
script_name(english:"Oracle Application Testing Suite (April 2024 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities
as referenced in the April 2024 CPU advisory:
- Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load
Testing for Web Apps (BSAFE Crypto-J)). The supported version that is affected is 13.3.0.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application
Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing
Suite. (CVE-2022-34381)
- Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing
for Web Apps (Apache Commons BCEL)). The supported version that is affected is 13.3.0.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing
Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-42920)
- Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing
for Web Apps (Apache Derby)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite.
Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-46337)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2024csaf.json");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2024.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2024 Oracle Critical Patch Update advisory.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-46337");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/16");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_testing_suite");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_application_testing_suite_installed.nbin");
script_require_keys("installed_sw/Oracle Application Testing Suite");
exit(0);
}
include('vcf_extras_oracle.inc');
var app_info = vcf::oracle_oats::get_app_info();
var patches_to_report;
var patches_to_check;
if (get_kb_item('SMB/Registry/Enumerated'))
{
patches_to_report = make_list('36496061');
}
else
{
patches_to_report = make_list('36496061', '34395275');
patches_to_check = make_list('34395275');
}
var constraints = [
{ 'min_version' : '13.3.0.1', 'fixed_version' : '13.3.0.1.593' }
];
vcf::oracle_oats::check_version_and_report(
app_info:app_info,
severity:SECURITY_HOLE,
constraints:constraints,
patches_to_report:patches_to_report,
patches_to_check:patches_to_check
);
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | application_testing_suite | cpe:/a:oracle:application_testing_suite |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42920
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46337
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1370
www.oracle.com/docs/tech/security-alerts/cpuapr2024csaf.json
www.oracle.com/security-alerts/cpuapr2024.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.019 Low
EPSS
Percentile
88.8%