CVE-2022-21587
CVE-2022-21587 is a critical-severity vulnerability in Oracle E-business Suite with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-02). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-02-02)
- EU (EUVD) id: EUVD-2022-26811
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-02-02)
- Weakness: CWE-306
- Affected product: Oracle E-business Suite
- Published:
- Last modified:
Description
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2022-21587: Oracle E-Business Suite Web Applications Desktop Integrator Unauthenticated Upload Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2022-21587 |
| Product | Oracle Web Applications Desktop Integrator (Oracle E-Business Suite) |
| Component | Upload |
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.98342 |
| KEV | Yes (since 2023-02-02) |
| CWE | CWE-306 |
| Published | 2022-10-18 |
Summary
A critical vulnerability in the Oracle Web Applications Desktop Integrator component of Oracle E-Business Suite allows unauthenticated remote attackers with network access via HTTP to compromise the application, potentially leading to full system takeover.
Background
Oracle Web Applications Desktop Integrator (Web ADI) is a component of Oracle E-Business Suite that enables desktop integration with Oracle applications, allowing users to upload data from desktop applications into Oracle E-Business Suite. This functionality is commonly used in enterprise environments for bulk data import and integration tasks.
Root Cause
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The Upload component of Oracle Web Applications Desktop Integrator fails to enforce proper authentication controls on the upload endpoint, allowing an unauthenticated remote attacker to interact with the upload functionality and submit arbitrary files to the system.
Impact
With a CVSS 3.1 base score of 9.8 (CRITICAL), this vulnerability presents a severe risk. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates:
- Attack Vector (AV): Network — exploitable remotely without access to the target system
- Attack Complexity (AC): Low — trivial conditions to exploit
- Privileges Required (PR): None — no authentication or privileges needed
- User Interaction (UI): None — no user interaction required
- Scope (S): Unchanged — the vulnerable component and impacted component are the same
- Confidentiality (C): High — total information disclosure
- Integrity (I): High — total compromise of system integrity
- Availability (A): High — total denial of service
Successful exploitation can result in complete takeover of the Oracle Web Applications Desktop Integrator application.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability class in defensive terms. Do not use this information for unauthorized access to systems you do not own or have permission to test.
This vulnerability represents an unauthenticated arbitrary file upload weakness. An attacker with network access to the Oracle Web Applications Desktop Integrator upload endpoint can submit a crafted request containing a malicious file payload without providing any authentication credentials. Because the application fails to validate the requester's identity before processing the upload, the server accepts and processes the file. Depending on the application's configuration and server environment, the uploaded file may be stored in a web-accessible location or processed by the application, potentially leading to remote code execution and system compromise.
Defenders should:
- Monitor HTTP POST requests to upload endpoints for anomalous file types or sizes
- Implement web application firewall (WAF) rules to detect and block suspicious upload requests
- Restrict network access to the Oracle Web Applications Desktop Integrator endpoints to authorized hosts only
Affected and Patched Versions
- Affected: Oracle E-Business Suite versions 12.2.3 through 12.2.11
- Patched: Specific patch information is not provided in the available data; refer to Oracle's October 2022 Critical Patch Update (CPU) for remediation details. Oracle E-Business Suite administrators should consult Oracle Support for the latest patch availability.
Remediation
- Apply patches: Apply the relevant patches from Oracle's October 2022 Critical Patch Update as soon as possible.
- Upgrade: Migrate to a supported version of Oracle E-Business Suite that includes the fix for this vulnerability.
- Compensating controls:
- Restrict network access to Oracle Web Applications Desktop Integrator endpoints to trusted administrative hosts only
- Implement network segmentation to isolate Oracle E-Business Suite instances from untrusted networks
- Deploy a web application firewall (WAF) with rules to detect and block unauthenticated upload attempts
- Enable comprehensive logging on upload endpoints and monitor for suspicious activity
Detection
- Monitor web server logs for unauthorized POST requests to Oracle Web Applications Desktop Integrator upload endpoints
- Look for anomalous file uploads or unexpected file types being processed by the application
- Use intrusion detection systems (IDS) to identify known exploit patterns targeting this vulnerability
- Correlate network traffic with CISA's Known Exploited Vulnerabilities (KEV) catalog alerts for CVE-2022-21587
Assessment
- EPSS Score: 0.98342 (99.911th percentile), indicating an extremely high probability of exploitation in the wild
- KEV Status: Listed in CISA's Known Exploited Vulnerabilities catalog since 2023-02-02, and also flagged in the EU vulnerability database (EUVD-2022-26811) as exploited since 2023-02-02
This vulnerability demonstrates two critical lessons for enterprise security teams:
- Authentication is non-negotiable for critical functions: Upload endpoints handling sensitive data or system interactions must always require strong authentication, even for externally facing components in complex enterprise suites.
- High EPSS + KEV correlation demands immediate action: When a vulnerability has both a near-maximum EPSS score and confirmed KEV status, organizations should treat it as actively exploited and prioritize patching above routine maintenance.
References
Frequently asked questions
- What is CVE-2022-21587?
- Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- How severe is CVE-2022-21587?
- CVE-2022-21587 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-21587 being actively exploited?
- Yes. CVE-2022-21587 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-02, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-21587?
- CVE-2022-21587 affects Oracle E-business Suite. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-21587?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-21587 have an EU (EUVD) identifier?
- Yes. CVE-2022-21587 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-26811. It is also flagged as exploited in the EUVD (since 2023-02-02).
- When was CVE-2022-21587 published?
- CVE-2022-21587 was published on 2022-10-18 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html
- https://www.oracle.com/security-alerts/cpuoct2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21587
Affected products (1)
- cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*
More vulnerabilities in Oracle E-business Suite
- CVE-2015-4839 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2…
- CVE-2015-4798 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2…
- CVE-2008-1826 — Critical (CVSS 10.0): Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 have unknown impact and attack vectors…
- CVE-2008-0343 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Spatial component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, and…
- CVE-2008-0347 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Ultra Search component in Oracle Collaboration Suite 10.1.2; Database 9.2.0.8,…
- CVE-2008-0340 — Critical (CVSS 10.0): Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have…
All CVEs affecting Oracle E-business Suite →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →