On November 21, 2024, CISA added CVE-2024-21287, an improper authorization vulnerability in Oracle Agile Product Lifecycle Management (PLM), to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability affects the Process Extension component of the Software Development Kit (SDK) and is exploitable without authentication.
| Product | Agile Product Lifecycle Management |
| Date | 2024-11-22 11:24:25 |
| Information |
|
Technical Summary
CVE-2024-21287 is an improper authorization vulnerability in Oracle Agile PLM software, which could allow unauthenticated file disclosure via the Process Extension component of the SDK. The vulnerable supported version is 9.3.6. This vulnerability allows remote attackers to access sensitive files without the need for user credentials. The vulnerability has been assigned a CVSS score of 7.5 and is considered a critical security risk.
Recommendations
- Apply security patches immediately provided by Oracle to mitigate the risk of exploitation.
- Update Oracle Agile PLM to the latest supported version.
- Monitor systems for signs of compromise, as this vulnerability is now listed in the CISA Known Exploited Vulnerabilities Catalog.
[Callforaction-THREAT-Footer]
