A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 422 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis.
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
Date | Note |
---|---|
2020-December-8 | Rev 6. Added a note for CVE-2020-14871. |
2020-November-16 | Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871. |
2020-October-29 | Rev 4. Added CVE-2018-2765. |
2020-October-27 | Rev 3. Credit statement update. |
2020-October-22 | Rev 2. Affected version change for CVE-2020-14807, CVE-2020-14810 and credit statement update. |
2020-October-20 | Rev 1. Initial Release. |
This Critical Patch Update contains 47 new security patches for Oracle Database Products divided as follows:
This Critical Patch Update contains 31 new security patches for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 7 of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-12900 | Core RDBMS (bzip2) | DBA Level Account | Oracle Net | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-14735 | Scheduler | Local Logon | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-14734 | Oracle Text | None | Oracle Net | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2018-2765 | Oracle SSL API | None | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
CVE-2020-13935 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.0.1, 18c, 19c | |
CVE-2020-11023 | Oracle Application Express (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-11023 | ORDS (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 1 |
CVE-2020-14762 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-9281 | Oracle Application Express | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-14899 | Oracle Application Express Data Reporter | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-14900 | Oracle Application Express Group Calendar | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-14898 | Oracle Application Express Packaged Apps | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-14763 | Oracle Application Express Quick Poll | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2020-14741 | Database Filesystem | Resource, Create Table, Create View, Create Procedure, Dbfs_role | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
CVE-2020-14901 | RDBMS Security | Analyze Any | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
High | None | None | 19c | |
CVE-2020-14736 | Database Vault | Create Public Synonym | Oracle Net | No | 3.8 | Network | Low | High | None | Un- changed |
Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
CVE-2020-14743 | Java VM | Create Procedure | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-14740 | SQL Developer Install | Client Computer User Account | Local Logon | No | 2.8 | Local | Low | Low | Required | Un- changed |
Low | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2020-14742 | Core RDBMS | SYSDBA level account | Oracle Net | No | 2.7 | Network | Low | High | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2019-17543 | Core RDBMS (LZ4) | DBA Level account | Local Logon | No | 0.0 | Local | High | High | None | Un- changed |
None | None | None | 19c | |
CVE-2019-11922 | Core RDBMS (Zstandard) | None | Oracle Net | No | 0.0 | Network | High | None | None | Un- changed |
None | None | None | 19c | |
CVE-2018-20843 | Oracle Database (Perl Expat) | Computer User Account | Multiple | No | 0.0 | Network | Low | Low | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-9488 | Oracle Spatial and Graph (Apache Log4j) | None | SMTPS | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 12.2.0.1, 18c, 19c | |
CVE-2019-16943 | Oracle Spatial and Graph (jackson-databind) | Create Session | Multiple | No | 0.0 | Network | Low | Low | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | See Note 2 |
CVE-2020-11023 | Oracle Spatial and Graph MapViewer (jQuery) | None | HTTP | No | 0.0 | Network | Low | None | Required | Changed | None | None | None | 12.2.0.1, 18c, 19c | |
CVE-2018-8013 | SQL Developer (Apache Batik) | None | HTTP | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2017-5645 | SQL Developer (Apache Log4j) | None | Multiple | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2017-12626 | SQL Developer (Apache POI) | None | Multiple | No | 0.0 | Local | Low | None | Required | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2018-7489 | SQL Developer (jackson-databind) | None | HTTP | No | 0.0 | Network | High | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2016-5725 | SQL Developer (JCraft JSch) | None | SFTP | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2019-17359 | SQL Developer Install (Bouncy Castle) | None | Multiple | No | 0.0 | Local | Low | Low | Required | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c |
This Critical Patch Update contains 5 new security patches for Oracle Big Data Graph. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-0192 | Big Data Spatial and Graph | Property Graph Analytics (Apache Solr) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 3.0 | |
CVE-2015-9251 | Big Data Spatial and Graph | Property Graph Analytics (jQuery) | HTTP | No | 0.0 | Network | Low | Low | Required | Changed | None | None | None | Prior to 2.4 | See Note 1 |
CVE-2020-9546 | Big Data Spatial and Graph | Property Graph Analytics (jackson-databind) | HTTP | No | 0.0 | Network | Low | Low | None | Un- changed |
None | None | None | Prior to 20.2 | See Note 1 |
CVE-2019-10744 | Big Data Spatial and Graph | Property Graph Analytics (lodash) | HTTP | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | Prior to 20.2 | See Note 1 |
CVE-2017-5645 | Big Data Spatial and Graph | Property Graph Analytics (Apache Log4j) | Multiple | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | Prior to 3.0 | See Note 1 |
This Critical Patch Update contains 7 new security patches for Oracle REST Data Services. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2017-7658 | Oracle REST Data Services | General (Eclipse Jetty) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2016-1000031 | Oracle REST Data Services | General (Apache Commons FileUpload) | HTTP | No | 8.0 | Network | Low | Low | Required | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
CVE-2020-14744 | Oracle REST Data Services | General | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1 | |
CVE-2020-11023 | Oracle REST Data Services | General (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1 | |
CVE-2020-14745 | Oracle REST Data Services | General | HTTP | No | 4.3 | Network | Low | Low | None | Un- changed |
Low | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1 | |
CVE-2018-8013 | Oracle REST Data Services | General (Apache Batik) | HTTP | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2019-16335 | Oracle REST Data Services | General (jackson-databind) | HTTP | No | 0.0 | Network | Low | None | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
This Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2018-11058 | Oracle TimesTen In-Memory Database | EM TimesTen plugin (RSA BSAFE Crypto-C) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 18.1.4.1.0 | |
CVE-2017-5645 | Oracle TimesTen In-Memory Database | Install (Apache Log4j) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 11.2.2.8.49 | |
CVE-2019-1010239 | Oracle TimesTen In-Memory Database | Install (Dave Gamble/cJSON) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 18.1.3.1.0 | |
CVE-2019-0201 | Oracle TimesTen In-Memory Database | Install (Apache ZooKeeper) | ZAB | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | Prior to 18.1.3.1.0 |
This Critical Patch Update contains 9 new security patches for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-10173 | Oracle Communications BRM - Elastic Charging Engine | Diameter Gateway and SDK (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.3.0.9.0, 12.0.0.3.0 | |
CVE-2020-10683 | Oracle Communications Unified Inventory Management | Core (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.0, 7.4.0 | |
CVE-2019-10173 | Oracle Communications Unified Inventory Management | Core (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.0, 7.4.0 | |
CVE-2020-10878 | Oracle Communications Billing and Revenue Management | Core (Perl) | TCP | Yes | 8.6 | Network | Low | None | None | Un- changed |
Low | Low | High | 12.0.0.2.0, 12.0.0.3.0 | |
CVE-2020-11022 | Oracle Communications Billing and Revenue Management | Billing Operation Center and Oracle Communication Billing Care (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 7.5.0.23.0, 12.0.0.3.0 | |
CVE-2020-9489 | Oracle Communications Messaging Server | Core (Apache Tika) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 8.1 | |
CVE-2020-9488 | Oracle Communications Billing and Revenue Management | Billing Operation Center and Oracle Communication Billing Care (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 7.5.0.23.0, 12.0.0.3.0 | |
CVE-2020-9488 | Oracle Communications Offline Mediation Controller | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 12.0.0.3.0 | |
CVE-2020-9488 | Oracle Communications Unified Inventory Management | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 7.3.0, 7.4.0 |
This Critical Patch Update contains 52 new security patches for Oracle Communications. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-10683 | Oracle Communications Application Session Controller | WS and WEB (dom4j) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 3.9m0p1 | |
CVE-2020-11973 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Apache Camel) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | IDIH: 8.0.0-8.2.2 | |
CVE-2020-2555 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Oracle Coherence) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | IDIH: 8.0.0-8.2.2 | |
CVE-2020-10683 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | IDIH: 8.0.0-8.2.2 | |
CVE-2019-2904 | Oracle Communications Diameter Signaling Router (DSR) | Platform (Application Development Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.0.0-8.4.0.5 | |
CVE-2019-12260 | Oracle Communications EAGLE Software | Network Stack (Wind River VxWorks) | TCP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 46.6.0-46.8.2 | |
CVE-2020-11984 | Oracle Communications Element Manager | Core (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-11984 | Oracle Communications Session Report Manager | Core (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-11984 | Oracle Communications Session Route Manager | Core (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2019-13990 | Oracle Communications Session Route Manager | Core (Quartz Scheduler) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2019-17638 | Oracle Communications Application Session Controller | WS and WEB (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 3.9m0p1 | |
CVE-2019-17638 | Oracle Communications Element Manager | Core (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 8.2.0-8.2.2 | |
CVE-2019-17638 | Oracle Communications Session Report Manager | Core (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 8.2.0-8.2.2 | |
CVE-2019-17638 | Oracle Communications Session Route Manager | Core (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 8.2.0-8.2.2 | |
CVE-2020-14195 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | IDIH: 8.0.0-8.2.2 | |
CVE-2020-14195 | Oracle Communications Element Manager | Core (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-14195 | Oracle Communications Evolved Communications Application Server | Universal Data Record (jackson-databind) | XCAP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 7.1 | |
CVE-2020-14195 | Oracle Communications Session Report Manager | Core (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-14195 | Oracle Communications Session Route Manager | Core (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-5398 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | IDIH: 8.0.0-8.2.2 | |
CVE-2019-17359 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Bouncy Castle Java Library) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | IDIH: 8.0.0-8.2.2 | |
CVE-2019-12402 | Oracle Communications Element Manager | Core (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.2.0-8.2.2 | |
CVE-2020-11080 | Oracle Communications Session Border Controller | System (http2) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.3, 8.4 | |
CVE-2019-12402 | Oracle Communications Session Report Manager | Core (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.2.0-8.2.2 | |
CVE-2019-12402 | Oracle Communications Session Route Manager | Core (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.2.0-8.2.2 | |
CVE-2019-17359 | Oracle Communications Session Route Manager | Core (Bouncy Castle Java Library) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.2.0-8.2.2 | |
CVE-2019-10173 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (xstream) | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | IDIH: 8.0.0-8.2.2 | |
CVE-2020-9484 | Oracle Communications Diameter Signaling Router (DSR) | Core (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 8.0.0.0-8.4.0.5 | |
CVE-2020-9484 | Oracle Communications Element Manager | Core (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-9484 | Oracle Communications Session Report Manager | Core (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-9484 | Oracle Communications Session Route Manager | Core (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 8.2.0-8.2.2 | |
CVE-2020-1945 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Apache Ant) | None | No | 6.7 | Local | High | None | None | Un- changed |
High | High | None | IDIH: 8.0.0-8.2.2 | |
CVE-2020-10722 | Oracle Communications Session Border Controller | Platform (DPDK) | None | No | 6.7 | Local | Low | High | None | Un- changed |
High | High | High | 8.2-8.4 | |
CVE-2020-5408 | Oracle Communications Element Manager | Core (Spring Security) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-5408 | Oracle Communications Session Report Manager | Core (Spring Security) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-5408 | Oracle Communications Session Route Manager | Core (Spring Security) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-11022 | Oracle Communications Application Session Controller | Core (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 3.8m0 | |
CVE-2020-1941 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Apache ActiveMQ) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | IDIH: 8.0.0-8.2.2 | |
CVE-2020-11022 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | IDIH: 8.0.0-8.2.2 | |
CVE-2019-17091 | Oracle Communications Diameter Signaling Router (DSR) | Platform (Eclipse Mojarra) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.0.0-8.4.0.5 | |
CVE-2020-14788 | Oracle Communications Diameter Signaling Router (DSR) | User Interface | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.0.0-8.4.0.5 | |
CVE-2020-11022 | Oracle Communications WebRTC Session Controller | ME (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 7.2 | |
CVE-2020-11022 | Oracle Enterprise Session Border Controller | Core (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.4 | |
CVE-2019-12415 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Apache POI) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | IDIH: 8.0.0-8.2.2 | |
CVE-2020-14787 | Oracle Communications Diameter Signaling Router (DSR) | User Interface | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 8.0.0.0-8.4.0.5 | |
CVE-2019-11048 | Oracle Communications Diameter Signaling Router (DSR) | Core (PHP) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 8.0.0.0-8.4.0.5 | |
CVE-2020-1954 | Oracle Communications Diameter Signaling Router (DSR) | IDIH (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | IDIH: 8.0.0-8.2.2 | |
CVE-2020-1954 | Oracle Communications Element Manager | Core (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-1954 | Oracle Communications Session Report Manager | Core (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-1954 | Oracle Communications Session Route Manager | Core (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | 8.2.0-8.2.2 | |
CVE-2020-9488 | Oracle Communications Application Session Controller | WS and WEB (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 3.9m0p1 | |
CVE-2020-9488 | Oracle Communications Services Gatekeeper | Media Control UI (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 7 |
This Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-11984 | Instantis EnterpriseTrack | Core (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 17.1, 17.2, 17.3 | |
CVE-2019-17495 | Primavera Gateway | Admin (Swagger UI) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 16.2.0-16.2.11, 17.12.0-17.12.8 | |
CVE-2015-1832 | Primavera Unifier | Platform (Apache Derby) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | None | High | 16.1, 16.2, 17.7-17.12, 18.8, 19.12 | |
CVE-2017-9096 | Primavera Unifier | Platform (iText) | HTTP | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 16.1, 16.2, 17.7-17.12, 18.8, 19.12 | |
CVE-2020-13935 | Instantis EnterpriseTrack | Core (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 17.1, 17.2, 17.3 | |
CVE-2019-17558 | Primavera Unifier | Platform (Apache Solr) | HTTP | No | 7.5 | Network | High | Low | None | Un- changed |
High | High | High | 16.1, 16.2, 17.7-17.12, 18.8, 19.12 | |
CVE-2018-17196 | Primavera Unifier | Core (Apache Kafka) | HTTP | Yes | 7.0 | Network | High | None | None | Un- changed |
High | Low | Low | 18.8, 19.12 | |
CVE-2020-9489 | Primavera Unifier | Platform (Apache Tika) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 16.1, 16.2, 17.7-17.12, 18.8, 19.12 | |
CVE-2020-9488 | Primavera Unifier | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 18.8, 19.12 |
This Critical Patch Update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-14855 | Oracle Universal Work Queue | Work Provider Administration | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.1.3 | |
CVE-2020-14805 | Oracle E-Business Suite Secure Enterprise Search | Search Integration Engine | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14875 | Oracle Marketing | Marketing Administration | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14876 | Oracle Trade Management | User Interface | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14862 | Oracle Universal Work Queue | Internal Operations | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.2.3 - 12.2.9 | |
CVE-2020-14850 | Oracle CRM Technical Foundation | Flex Fields | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14816 | Oracle Marketing | Marketing Administration | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14817 | Oracle Marketing | Marketing Administration | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14831 | Oracle Marketing | Marketing Administration | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14835 | Oracle Marketing | Marketing Administration | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3 | |
CVE-2020-14849 | Oracle Marketing | Marketing Administration | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14819 | Oracle One-to-One Fulfillment | Print Server | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.3 | |
CVE-2020-14863 | Oracle One-to-One Fulfillment | Print Server | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3 | |
CVE-2020-14808 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14833 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14834 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14851 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14856 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14857 | Oracle Trade Management | User Interface | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14774 | Oracle CRM Technical Foundation | Preferences | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14761 | Oracle Applications Manager | Oracle Diagnostics Interfaces | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 12.1.3, 12.2.3 - 12.2.7 | |
CVE-2020-14823 | Oracle CRM Technical Foundation | Preferences | HTTP | No | 6.5 | Network | Low | High | None | Un- changed |
High | High | None | 12.2.3 - 12.2.10 | |
CVE-2020-14811 | Oracle Applications Manager | AMP EBS Integration | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14826 | Oracle Applications Manager | SQL Extensions | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14840 | Oracle Application Object Library | Diagnostics | HTTP | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14746 | Oracle Applications Framework | Popup windows | HTTP | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 12.1.3, 12.2.3 - 12.2.10 | |
CVE-2020-14822 | Oracle Installed Base | APIs | HTTP | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 12.1.1 - 12.1.3, 12.2.3 - 12.2.10 |
This Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-13990 | Enterprise Manager Ops Center | Agent Provisioning (Quartz Scheduler) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.4.0.0 | |
CVE-2018-11058 | Oracle Application Testing Suite | Load Testing for Web Apps (RSA BSAFE Crypto-C) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 13.3.0.1 | |
CVE-2019-17638 | Oracle Application Testing Suite | Load Testing for Web Apps (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 13.3.0.1 | |
CVE-2020-5398 | Enterprise Manager Base Platform | Connector Framework (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 13.2.1.0 | |
CVE-2020-1967 | Enterprise Manager for Storage Management | Privilege Management (OpenSSL) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 13.3.0.0, 13.4.0.0 | |
CVE-2020-5398 | Oracle Application Testing Suite | Load Testing for Web Apps (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 13.3.0.1 | |
CVE-2019-3740 | Application Performance Management (APM) | Comp Management and Life Cycle Management (RSA BSAFE Crypto-J) | HTTPS | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 13.3.0.0, 13.4.0.0 | |
CVE-2019-2897 | Enterprise Manager Base Platform | Event Management | HTTP | No | 6.4 | Network | Low | Low | None | Changed | Low | Low | None | 13.3.0.0, 13.4.0.0 | |
CVE-2020-11022 | Enterprise Manager Ops Center | Reports in Ops Center (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.4.0.0 | |
CVE-2020-1954 | Enterprise Manager Base Platform | Connector Framework (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | 13.2.1.0 | |
CVE-2020-9488 | Enterprise Manager for Peoplesoft | PSEM Plugin (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 13.4.1.1 |
This Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-17495 | Oracle Banking Platform | Collections (Swagger UI) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.4.0-2.10.0 | |
CVE-2020-10683 | Oracle Banking Platform | Collections (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.4.0-2.10.0 | |
CVE-2019-10173 | Oracle Banking Platform | Collections (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.4.0-2.10.0 | |
CVE-2020-10683 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.6-8.1.0 | |
CVE-2020-9546 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.6-8.1.0 | |
CVE-2020-9546 | Oracle Financial Services Institutional Performance Analytics | User Interface (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.6, 8.7.0, 8.1.0 | |
CVE-2020-9546 | Oracle Financial Services Price Creation and Discovery | User Interface (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.6, 8.0.7 | |
CVE-2017-5645 | Oracle Financial Services Regulatory Reporting with AgileREPORTER | Core (Apache Ant) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.9.2.0 | |
CVE-2020-9546 | Oracle Financial Services Retail Customer Analytics | User Interface (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.6 | |
CVE-2020-11973 | Oracle FLEXCUBE Private Banking | Core (Apache Camel) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.0.0, 12.1.0 | |
CVE-2020-14824 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure | HTTP | Yes | 8.6 | Network | Low | None | None | Changed | None | None | High | 8.0.6-8.1.0 | |
CVE-2020-14195 | Oracle Banking Digital Experience | Framework (jackson-databind) | HTTPS | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 18.1, 18.2, 18.3, 19.1, 19.2, 20.1 | |
CVE-2020-5398 | Oracle Financial Services Regulatory Reporting with AgileREPORTER | Core (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 8.0.9.2.0 | |
CVE-2020-5398 | Oracle FLEXCUBE Private Banking | Core (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 12.0.0, 12.1.0 | |
CVE-2020-14894 | Oracle Banking Corporate Lending | Core | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.3.0, 14.0.0-14.4.0 | |
CVE-2020-14896 | Oracle Banking Payments | Core | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 14.1.0-14.4.0 | |
CVE-2020-14890 | Oracle FLEXCUBE Direct Banking | Pre Login | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 12.0.1, 12.0.2, 12.0.3 | |
CVE-2020-14897 | Oracle FLEXCUBE Direct Banking | Pre Login | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 12.0.1, 12.0.2, 12.0.3 | |
CVE-2020-14887 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.3.0, 14.0.0-14.4.0 | |
CVE-2020-11022 | Oracle Banking Digital Experience | Framework (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 18.1, 18.2, 18.3, 19.1, 19.2, 20.1 | |
CVE-2020-11022 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Analytical Applications Reconciliation Framework | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Asset Liability Management | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Balance Sheet Planning | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.8 | |
CVE-2020-11022 | Oracle Financial Services Basel Regulatory Capital Basic | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Data Foundation | Infrastructure (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Data Governance for US Regulatory Reporting | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.9 | |
CVE-2020-11022 | Oracle Financial Services Data Integration Hub | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Funds Transfer Pricing | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Hedge Management and IFRS Valuations | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Institutional Performance Analytics | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Liquidity Risk Management | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6 | |
CVE-2020-11022 | Oracle Financial Services Liquidity Risk Measurement and Management | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.7, 8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Loan Loss Forecasting and Provisioning | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Market Risk Measurement and Management | Infrastructure (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.8 | |
CVE-2020-11022 | Oracle Financial Services Price Creation and Discovery | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7 | |
CVE-2020-11022 | Oracle Financial Services Profitability Management | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6, 8.0.7, 8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Regulatory Reporting for European Banking Authority | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.1.0 | |
CVE-2020-11022 | Oracle Financial Services Regulatory Reporting for US Federal Reserve | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.0.9 | |
CVE-2020-1941 | Oracle FLEXCUBE Private Banking | Core (Apache ActiveMQ) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.0.0, 12.1.0 | |
CVE-2020-11022 | Oracle Insurance Accounting Analyzer | IFRS17 (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.9 | |
CVE-2020-11022 | Oracle Insurance Allocation Manager for Enterprise Profitability | User Interface (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.8, 8.1.0 | |
CVE-2020-11022 | Oracle Insurance Data Foundation | Infrastructure (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.6-8.1.0 | |
CVE-2020-1951 | Oracle FLEXCUBE Private Banking | Core (Apache Tika) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 12.0.0, 12.1.0 | |
CVE-2019-10247 | Oracle FLEXCUBE Core Banking | Core (Eclipse Jetty) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 5.2.0, 11.5.0-11.7.0 | |
CVE-2020-9488 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.0.6-8.1.0 | |
CVE-2020-9488 | Oracle Financial Services Institutional Performance Analytics | User Interface (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.0.6, 8.7.0, 8.1.0 | |
CVE-2020-9488 | Oracle Financial Services Market Risk Measurement and Management | Infrastructure (Apache log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.0.6, 8.0.8, 8.1.0 | |
CVE-2020-9488 | Oracle Financial Services Price Creation and Discovery | User Interface (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.0.6, 8.0.7 | |
CVE-2020-9488 | Oracle Financial Services Retail Customer Analytics | User Interface (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.0.6 | |
CVE-2020-9488 | Oracle FLEXCUBE Core Banking | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 5.2.0, 11.5.0-11.7.0 | |
CVE-2020-9488 | Oracle FLEXCUBE Private Banking | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 12.0.0, 12.1.0 |
This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-11022 | Oracle Hospitality Materials Control | Mobile Authorization (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 18.1 | |
CVE-2020-11022 | Oracle Hospitality Simphony | Simphony Apps (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 18.1, 18.2, 19.1.0-19.1.2 | |
CVE-2020-14753 | Oracle Hospitality Reporting and Analytics | Installation | None | No | 5.9 | Local | Low | Low | Required | Changed | High | None | None | 9.1.0 | |
CVE-2020-14783 | Oracle Hospitality RES 3700 | CAL | TCP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 5.7 |
This Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2017-5645 | Identity Manager Connector | General and Misc (Apache Log4j) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 9.0 | |
CVE-2018-11058 | Oracle Access Manager | Web Server Plugin (RSA BSafe) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.2.3.0 | |
CVE-2017-9800 | Oracle Data Integrator | Install, config, upgrade (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0 | |
CVE-2020-10683 | Oracle Endeca Information Discovery Integrator | Integrator ETL (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 3.2.0 | |
CVE-2019-10173 | Oracle Endeca Information Discovery Studio | Endeca Server (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 3.2.0 | |
CVE-2019-2904 | Oracle Enterprise Repository | Security Subsystem - 12c (Application Development Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.7.0 | |
CVE-2018-8088 | Oracle GoldenGate Application Adapters | Application Adapters (SLF4J) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.3.2.1.0 | |
CVE-2019-17531 | Oracle GoldenGate Application Adapters | Build Request (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 19.1.0.0.0 | |
CVE-2018-11058 | Oracle GoldenGate Application Adapters | Security Service (RSA BSAFE) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.3.2.1.0 | |
CVE-2019-5482 | Oracle HTTP Server | Web Listener (cURL) | TFTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-10683 | Oracle WebCenter Portal | Portlet Services (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-2555 | Oracle WebCenter Portal | Security Framework (Oracle Coherence) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2019-10173 | Oracle WebCenter Portal | Security Framework (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.9.0, 12.2.1.3.0 | |
CVE-2019-17267 | Oracle WebLogic Server | Centralized Thirdparty Jars (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0 | |
CVE-2020-14882 | Oracle WebLogic Server | Console | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-14841 | Oracle WebLogic Server | Core | IIOP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-14825 | Oracle WebLogic Server | Core | IIOP, T3 | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-14859 | Oracle WebLogic Server | Core | IIOP, T3 | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-14879 | BI Publisher | E-Business Suite - XDO | HTTP | No | 8.5 | Network | Low | Low | None | Changed | High | Low | None | 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14880 | BI Publisher | E-Business Suite - XDO | HTTP | No | 8.5 | Network | Low | Low | None | Changed | High | Low | None | 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14842 | BI Publisher | BI Publisher Security | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14784 | Oracle BI Publisher | Mobile Service | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14815 | Oracle Business Intelligence Enterprise Edition | Analytics Actions | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2016-2510 | Oracle Data Integrator | Jave APIs (BeanShell) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.1.1.9.0, 12.2.1.3.0 | |
CVE-2020-3235 | Management Pack for Oracle GoldenGate | Monitor (SNMP) | SNMP | No | 7.7 | Network | Low | Low | None | Changed | None | None | High | 12.2.1.2.0 | |
CVE-2020-14864 | Oracle Business Intelligence Enterprise Edition | Installation | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-1967 | Oracle HTTP Server | SSL Module (OpenSSL) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.4.0 | |
CVE-2020-14820 | Oracle WebLogic Server | Core | IIOP, T3 | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2019-10097 | Oracle HTTP Server | Core (Apache HTTP Server) | HTTP | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 12.2.1.4.0 | |
CVE-2020-14883 | Oracle WebLogic Server | Console | HTTP | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-14780 | BI Publisher | BI Publisher Security | HTTP | Yes | 7.1 | Network | Low | None | Required | Un- changed |
High | Low | None | 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14843 | Oracle Business Intelligence Enterprise Edition | Analytics Actions | HTTP | Yes | 7.1 | Network | Low | None | Required | Changed | Low | Low | Low | 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14766 | Oracle Business Intelligence Enterprise Edition | Analytics Web Administration | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-9484 | Oracle Managed File Transfer | MFT Runtime Server (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-14757 | Oracle WebLogic Server | Web Services | HTTP | Yes | 6.8 | Network | High | None | Required | Un- changed |
High | High | None | 12.2.1.3.0 | |
CVE-2020-15389 | Oracle Outside In Technology | Installation (OpenJPEG) | HTTP | Yes | 6.5 | Network | High | None | None | Un- changed |
Low | None | High | 8.5.5, 8.5.4 | See Note 1 |
CVE-2020-1945 | Oracle Business Process Management Suite | Runtime Engine (Apache Ant) | None | No | 6.3 | Local | High | Low | None | Un- changed |
High | High | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2019-11358 | BI Publisher | BI Publisher Security (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2019-11358 | Oracle Business Process Management Suite | Runtime Engine (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2019-2904 | Oracle Business Process Management Suite | Runtime Engine (Application Development Framework) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-11022 | Oracle JDeveloper | ADF Faces (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-9281 | Oracle WebCenter Portal | Blogs and Wikis (CKEditor) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-11022 | Oracle WebLogic Server | Console (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-1951 | Oracle Business Process Management Suite | Document Service (Apache Tika) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-13631 | Oracle Outside In Technology | Installation (SQLite) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | High | None | 8.5.5, 8.5.4 | See Note 1 |
CVE-2020-9488 | Oracle WebLogic Server | Core (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 10.3.6.0.0 |
This Critical Patch Update contains 1 new security patch for Oracle GraalVM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-14803 | Oracle GraalVM Enterprise Edition | Java | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 19.3.3, 20.2.0 |
This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-1953 | Oracle Healthcare Foundation | Self Service Analytics (Apache Commons Configuration) | HTTP | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 7.1.1, 7.2.0, 7.2.1, 7.3.0 | |
CVE-2020-10683 | Oracle Health Sciences Empirica Signal | User Interface (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 9.0 | |
CVE-2020-2555 | Oracle Healthcare Data Repository | Database Module (Oracle Coherence) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.0.1 | |
CVE-2020-11022 | Oracle Healthcare Foundation | Admin Console (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 7.1.1, 7.2.0, 7.2.1, 7.3.0 |
This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-17638 | Oracle Hospitality Guest Access | Base (Eclipse Jetty) | HTTP | Yes | 9.4 | Network | Low | None | None | Un- changed |
High | High | Low | 4.2.0, 4.2.1 | |
CVE-2020-14807 | Oracle Hospitality Suite8 | WebConnect | HTTP | Yes | 7.1 | Network | Low | None | Required | Un- changed |
High | Low | None | 8.10.2, 8.11-8.14 | |
CVE-2020-9484 | Oracle Hospitality Guest Access | Base (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 4.2.0, 4.2.1 | |
CVE-2020-14858 | Oracle Hospitality OPERA 5 Property Services | Logging | HTTP | No | 6.8 | Network | Low | High | Required | Un- changed |
High | High | High | 5.5, 5.6 | |
CVE-2020-14877 | Oracle Hospitality OPERA 5 Property Services | Logging | HTTP | No | 6.5 | Network | Low | High | None | Un- changed |
High | High | None | 5.5, 5.6 | |
CVE-2020-14810 | Oracle Hospitality Suite8 | WebConnect | HTTP | Yes | 5.4 | Network | Low | None | Required | Un- changed |
Low | Low | None | 8.10.2, 8.11-8.14 |
This Critical Patch Update contains 9 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-5482 | Hyperion Essbase | Security and Provisioning (cURL) | TFTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.2.4 | |
CVE-2020-14854 | Hyperion Infrastructure Technology | UI and Visualization | HTTP | No | 6.1 | Network | Low | High | Required | Un- changed |
High | High | None | 11.1.2.4 | |
CVE-2019-1547 | Hyperion Essbase | Security and Provisioning (OpenSSL) | None | No | 4.7 | Local | High | Low | None | Un- changed |
High | None | None | 11.1.2.4 | |
CVE-2020-14768 | Hyperion Analytic Provider Services | Smart View Provider | HTTP | No | 4.3 | Adjacent Network |
High | Low | Required | Un- changed |
Low | Low | Low | 11.1.2.4 | |
CVE-2020-14767 | Hyperion BI+ | IQR-Foundation service | Multiple | No | 4.2 | Network | High | High | Required | Un- changed |
High | None | None | 11.1.2.4 | |
CVE-2020-14752 | Hyperion Lifecycle Management | Shared Services | HTTP | No | 4.2 | Network | High | High | Required | Un- changed |
None | High | None | 11.1.2.4 | |
CVE-2020-14772 | Hyperion Lifecycle Management | Shared Services | HTTP | No | 4.2 | Network | High | High | Required | Un- changed |
None | High | None | 11.1.2.4 | |
CVE-2020-14764 | Hyperion Planning | Application Development Framework | HTTP | No | 4.2 | Network | High | High | Required | Un- changed |
None | High | None | 11.1.2.4 | |
CVE-2020-14770 | Hyperion BI+ | IQR-Foundation service | Multiple | No | 2.0 | Network | High | High | Required | Un- changed |
Low | None | None | 11.1.2.4 |
This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-9546 | Oracle Insurance Policy Administration J2EE | Architecture (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.0.2.25, 11.1.0.15 | |
CVE-2020-5398 | Oracle Insurance Policy Administration J2EE | Admin Console (Spring Framework) | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.2.2.0 | |
CVE-2020-11022 | Oracle Insurance Insbridge Rating and Underwriting | Framework Administrator IBFA (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 5.0.0.0 - 5.6.0.0, 5.6.1.0 | |
CVE-2020-9488 | Oracle Insurance Insbridge Rating and Underwriting | Framework Administrator IBFA (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 5.0.0.0 - 5.6.0.0, 5.6.1.0 | |
CVE-2020-9488 | Oracle Insurance Policy Administration J2EE | Architecture (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26 | |
CVE-2020-9488 | Oracle Insurance Rules Palette | Architecture (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26 |
This Critical Patch Update contains 8 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-14803 | Java SE | Libraries | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | Java SE: 11.0.8, 15 | See Note 1 |
CVE-2020-14792 | Java SE, Java SE Embedded | Hotspot | Multiple | Yes | 4.2 | Network | High | None | Required | Un- changed |
Low | Low | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 2 |
CVE-2020-14781 | Java SE, Java SE Embedded | JNDI | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 2 |
CVE-2020-14782 | Java SE, Java SE Embedded | Libraries | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | Low | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 2 |
CVE-2020-14797 | Java SE, Java SE Embedded | Libraries | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | Low | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 2 |
CVE-2020-14779 | Java SE, Java SE Embedded | Serialization | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 2 |
CVE-2020-14796 | Java SE, Java SE Embedded | Libraries | Multiple | Yes | 3.1 | Network | High | None | Required | Un- changed |
Low | None | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 1 |
CVE-2020-14798 | Java SE, Java SE Embedded | Libraries | Multiple | Yes | 3.1 | Network | High | None | Required | Un- changed |
None | Low | None | Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 | See Note 1 |
This Critical Patch Update contains 54 new security patches for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-8174 | MySQL Cluster | Cluster: JS module (Node.js) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior | |
CVE-2020-14878 | MySQL Server | Server: Security: LDAP Auth | MySQL Protocol | No | 8.0 | Adjacent Network |
Low | Low | None | Un- changed |
High | High | High | 8.0.21 and prior | |
CVE-2020-13935 | MySQL Enterprise Monitor | Monitoring: General (Apache Tomcat) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-1967 | MySQL Workbench | Workbench: Security: Encryption (OpenSSL) | MySQL Workbench | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14828 | MySQL Server | Server: DML | MySQL Protocol | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 8.0.21 and prior | |
CVE-2020-14775 | MySQL Server | InnoDB | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14765 | MySQL Server | Server: FTS | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14769 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14830 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14836 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14846 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14800 | MySQL Server | Server: Security: Encryption | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14827 | MySQL Server | Server: Security: LDAP Auth | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14760 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 5.7.31 and prior | |
CVE-2020-1730 | MySQL Workbench | MySQL Workbench (libssh) | MySQL Workbench | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 8.0.21 and prior | |
CVE-2020-14776 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14821 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14829 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14848 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14852 | MySQL Server | Server: Charsets | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14814 | MySQL Server | Server: DML | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14789 | MySQL Server | Server: FTS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14804 | MySQL Server | Server: FTS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14812 | MySQL Server | Server: Locking | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14773 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14777 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14785 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14793 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14794 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14809 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14837 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14839 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14845 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14861 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14866 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14868 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14888 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14891 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14893 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14786 | MySQL Server | Server: PS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14790 | MySQL Server | Server: PS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14844 | MySQL Server | Server: PS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14799 | MySQL Server | Server: Security: Encryption | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.20 and prior | |
CVE-2020-14869 | MySQL Server | Server: Security: LDAP Auth | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14672 | MySQL Server | Server: Stored Procedure | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14870 | MySQL Server | Server: X Plugin | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14853 | MySQL Cluster | Cluster: NDBCluster Plugin | Multiple | No | 4.6 | Network | Low | Low | Required | Un- changed |
None | Low | Low | 8.0.21 and prior | |
CVE-2020-14867 | MySQL Server | Server: DDL | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
None | None | High | 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-14873 | MySQL Server | Server: Logging | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
None | None | High | 8.0.21 and prior | |
CVE-2020-14838 | MySQL Server | Server: Security: Privileges | MySQL Protocol | No | 4.3 | Network | Low | Low | None | Un- changed |
Low | None | None | 8.0.21 and prior | |
CVE-2020-14860 | MySQL Server | Server: Security: Roles | MySQL Protocol | No | 2.7 | Network | Low | High | None | Un- changed |
None | Low | None | 8.0.21 and prior | |
CVE-2020-14791 | MySQL Server | InnoDB | MySQL Protocol | No | 2.2 | Network | High | High | None | Un- changed |
None | None | Low | 8.0.21 and prior | |
CVE-2020-14771 | MySQL Server | Server: Security: LDAP Auth | MySQL Protocol | No | 2.2 | Network | High | High | None | Un- changed |
None | None | Low | 5.7.31 and prior, 8.0.21 and prior | |
CVE-2020-4051 | MySQL Cluster | Cluster: Configuration (dojo) | Multiple | No | 0.0 | Network | Low | Low | Required | Un- changed |
None | None | None | 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior |
This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2018-11058 | PeopleSoft Enterprise PeopleTools | Weblogic (RSA BSafe) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.56, 8.57, 8.58 | |
CVE-2020-14865 | PeopleSoft Enterprise SCM eSupplier Connection | eSupplier Connection | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 9.2 | |
CVE-2020-14795 | PeopleSoft Enterprise PeopleTools | PIA Core Technology | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 8.57, 8.58 | |
CVE-2020-14778 | PeopleSoft Enterprise HCM Global Payroll Core | Security | HTTP | No | 6.3 | Network | Low | Low | None | Un- changed |
Low | Low | Low | 9.2 | |
CVE-2020-14832 | PeopleSoft Enterprise PeopleTools | Integration Broker | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-14801 | PeopleSoft Enterprise PeopleTools | PIA Core Technology | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-14802 | PeopleSoft Enterprise PeopleTools | PIA Core Technology | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-11022 | PeopleSoft Enterprise PeopleTools | PIA Core Technology (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-14813 | PeopleSoft Enterprise PeopleTools | PIA Grids | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-11022 | PeopleSoft Enterprise PeopleTools | Portal, Charting (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.56, 8.57, 8.58 | |
CVE-2020-1954 | PeopleSoft Enterprise PeopleTools | Elastic Search (Apache CXF) | HTTP | Yes | 5.3 | Adjacent Network |
High | None | None | Un- changed |
High | None | None | 8.56 | |
CVE-2020-14806 | PeopleSoft Enterprise PeopleTools | Query | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 8.56, 8.57, 8.58 | |
CVE-2020-9488 | PeopleSoft Enterprise PeopleTools | Tools Admin API (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.56, 8.57, 8.58 | |
CVE-2020-9488 | PeopleSoft Enterprise PeopleTools | Updates Environment Mgmt (Apache Log4j) | SMTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.56, 8.57, 8.58 | |
CVE-2020-14847 | PeopleSoft Enterprise PeopleTools | Query | HTTP | No | 2.7 | Network | Low | High | None | Un- changed |
Low | None | None | 8.56, 8.57, 8.58 |
This Critical Patch Update contains 6 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-11022 | Oracle Policy Automation | Core (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.0 - 12.2.20 | |
CVE-2020-11022 | Oracle Policy Automation Connector for Siebel | Core (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 10.4.6 | |
CVE-2020-11022 | Oracle Policy Automation for Mobile Devices | Core (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.0 - 12.2.20 | |
CVE-2020-9488 | Oracle Policy Automation | Core (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 12.2.0 - 12.2.20 | |
CVE-2020-9488 | Oracle Policy Automation Connector for Siebel | Core (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 10.4.6 | |
CVE-2020-9488 | Oracle Policy Automation for Mobile Devices | Core (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 12.2.0 - 12.2.20 |
This Critical Patch Update contains 28 new security patches for Oracle Retail Applications. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-10683 | Oracle Retail Order Broker | System Administration (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 15.0, 16.0, 18.0, 19.0, 19.1 | |
CVE-2020-10683 | Oracle Retail Price Management | Security (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0 | |
CVE-2020-9546 | Oracle Retail Service Backbone | RSB kernel (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.1, 15.0, 16.0 | |
CVE-2020-1945 | Oracle Retail Back Office | Security (Apache Ant) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 14.0, 14.1 | |
CVE-2020-1945 | Oracle Retail Central Office | Security (Apache Ant) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 14.0, 14.1 | |
CVE-2020-1945 | Oracle Retail Integration Bus | RIB Kernal (Apache Ant) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 14.1, 15.0, 16.0 | |
CVE-2020-1945 | Oracle Retail Point-of-Service | Security (Apache Ant) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 14.0, 14.1 | |
CVE-2020-1945 | Oracle Retail Returns Management | Security (Apache Ant) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 14.0, 14.1 | |
CVE-2020-9410 | Oracle Retail Order Broker | Order Broker Foundation (jasperreports_server) | HTTP | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 15.0, 16.0 | |
CVE-2019-3740 | Oracle Retail Assortment Planning | Application Core (RSA BSAFE Crypto-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 15.0.3.0, 16.0.3.0 | |
CVE-2019-3740 | Oracle Retail Integration Bus | RIB Kernal (RSA BSAFE Crypto-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 14.1, 15.0, 16.0 | |
CVE-2019-3740 | Oracle Retail Predictive Application Server | RPAS Server (RSA BSAFE Crypto-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 14.1.3.0, 15.0.3.0, 16.0.3.0 | |
CVE-2019-3740 | Oracle Retail Service Backbone | RSB kernel (RSA BSAFE Crypto-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 14.1, 15.0, 16.0 | |
CVE-2019-3740 | Oracle Retail Xstore Point of Service | Xenvironment (RSA BSAFE Crypto-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1 | |
CVE-2020-11022 | Oracle Retail Back Office | Security (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 14.0, 14.1 | |
CVE-2020-11022 | Oracle Retail Central Office | Security (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 14.0, 14.1 | |
CVE-2020-11022 | Oracle Retail Customer Management and Segmentation Foundation | Segments (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 19.0 | |
CVE-2019-11358 | Oracle Retail Point-of-Service | Mobile POS (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 14.0, 14.1 | |
CVE-2020-11022 | Oracle Retail Returns Management | Security (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 14.0, 14.1 | |
CVE-2019-12415 | Oracle Retail Order Broker | Store Connect (Apache POI) | none | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 15.0, 16.0 | |
CVE-2020-9488 | Oracle Retail Advanced Inventory Planning | AIP Dashboard (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 14.1 | |
CVE-2020-9488 | Oracle Retail Assortment Planning | Application Core (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 15.0.3.0, 16.0.3.0 | |
CVE-2020-9488 | Oracle Retail Bulk Data Integration | BDI Job Scheduler (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 15.0.3.0, 16.0.3.0 | |
CVE-2020-9488 | Oracle Retail Integration Bus | RIB Kernal (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 14.1, 15.0, 16.0 | |
CVE-2020-9488 | Oracle Retail Order Broker | Store Connect (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 16.0, 18.0, 19.0, 19.1, 19.2, 19.3 | |
CVE-2020-9488 | Oracle Retail Predictive Application Server | RPAS Fusion Client (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 14.1.3.0, 15.0.3.0, 16.0.3.0 | |
CVE-2020-14732 | Oracle Retail Customer Management and Segmentation Foundation | Promotions | HTTP | No | 3.1 | Network | High | Low | None | Un- changed |
Low | None | None | 19.0 | |
CVE-2020-14731 | Oracle Retail Customer Management and Segmentation Foundation | Segment | HTTP | No | 3.1 | Network | High | Low | None | Un- changed |
Low | None | None | 18.0, 19.0 |
This Critical Patch Update contains 3 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2016-1000031 | Siebel Apps - Marketing | Mktg/Email Mktg Stand-Alone (Apache Commons File Upload) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 20.7 | |
CVE-2019-10072 | Siebel Apps - Marketing | Mktg/Campaign Mgmt (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 20.7 | |
CVE-2020-11022 | Siebel UI Framework | UIF Open UI (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 20.8 |
This Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-1938 | Oracle Agile PLM | Folders, Files & Attachments (Apache Tomcat) | AJP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 9.3.3, 9.3.5, 9.3.6 | |
CVE-2020-10683 | Oracle Agile PLM | Security (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 9.3.3, 9.3.5 | |
CVE-2020-9484 | Oracle Transportation Management | Install (Apache Tomcat) | AJP | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 6.3.7 | |
CVE-2020-11022 | Oracle Agile Product Lifecycle Management for Process | Supplier Portal (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 6.2.0.0 |
This Critical Patch Update contains 8 new security patches for Oracle Systems. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-14871 | Oracle Solaris | Pluggable authentication module | Multiple | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 10, 11 | See Note 1 |
CVE-2020-14871 | Oracle ZFS Storage Appliance Kit | Operating System Image | Multiple | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 8.8 | See Note 1 |
CVE-2019-11477 | Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers | XCP Firmware (Linux Kernel) | TCP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to XCP2362, prior to XCP3090 | |
CVE-2018-3693 | Fujitsu M12-1, M12-2, M12-2S Servers | XCP Firmware (Kernel) | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | Prior to XCP3090 | |
CVE-2020-14758 | Oracle Solaris | Kernel | None | No | 5.6 | Local | Low | Low | Required | Un- changed |
High | None | Low | 11 | |
CVE-2020-14754 | Oracle Solaris | Filesystem | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11 | |
CVE-2020-14818 | Oracle Solaris | Utility | SSH | No | 3.0 | Network | High | Low | Required | Changed | None | Low | None | 11 | |
CVE-2020-14759 | Oracle Solaris | Kernel | None | No | 2.5 | Local | High | Low | Required | Changed | None | Low | None | 11 |
This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-10173 | Oracle Utilities Framework | Common (xstream) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0 | |
CVE-2020-10683 | Oracle Utilities Framework | General (dom4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 | |
CVE-2020-1945 | Oracle Utilities Framework | General (Apache Ant) | None | No | 6.3 | Local | High | Low | None | Un- changed |
High | High | None | 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 | |
CVE-2020-14895 | Oracle Utilities Framework | System Wide | HTTP | No | 5.4 | Network | Low | Low | None | Un- changed |
Low | Low | None | 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 | |
CVE-2020-9488 | Oracle Utilities Framework | Common (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 |
This Critical Patch Update contains 7 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-14872 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | Prior to 6.1.16 | |
CVE-2020-14881 | Oracle VM VirtualBox | Core | None | No | 6.0 | Local | Low | High | None | Changed | High | None | None | Prior to 6.1.16 | |
CVE-2020-14884 | Oracle VM VirtualBox | Core | None | No | 6.0 | Local | Low | High | None | Changed | High | None | None | Prior to 6.1.16 | |
CVE-2020-14885 | Oracle VM VirtualBox | Core | None | No | 6.0 | Local | Low | High | None | Changed | High | None | None | Prior to 6.1.16 | |
CVE-2020-14886 | Oracle VM VirtualBox | Core | None | No | 6.0 | Local | Low | High | None | Changed | High | None | None | Prior to 6.1.16 | |
CVE-2020-14889 | Oracle VM VirtualBox | Core | None | No | 6.0 | Local | Low | High | None | Changed | High | None | None | Prior to 6.1.16 | |
CVE-2020-14892 | Oracle VM VirtualBox | Core | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | Prior to 6.1.16 |