CVE-2025-21510

High

Published: 21 January 2025

Published

21 January 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0046 64.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Security Summary

CVE-2025-21510 is a vulnerability in the Web Runtime SEC component of the JD Edwards EnterpriseOne Tools product from Oracle JD Edwards. Supported versions affected by this issue are those prior to 9.2.9.0.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise JD Edwards EnterpriseOne Tools. Successful exploitation results in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. The vulnerability has a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with high confidentiality impact and is associated with CWE-203.

Oracle's Critical Patch Update for January 2025 provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html. Affected systems should be updated to version 9.2.9.0 or later to address the vulnerability.

Details

CWE(s): CWE-203

Affected Products

oracle

jd edwards enterpriseone tools

≤ 9.2.9.0

References

https://www.oracle.com/security-alerts/cpujan2025.html
Vendor Advisory · secalert_us@oracle.com