CVE-2025-21511

High

Published: 21 January 2025

Published

21 January 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0024 47.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Security Summary

CVE-2025-21511 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. Supported versions affected are those prior to 9.2.9.0. The issue, associated with CWE-346, carries a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with high confidentiality impact and no integrity or availability effects.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise JD Edwards EnterpriseOne Tools. Successful exploitation allows unauthorized access to critical data or complete access to all data accessible by the product.

Oracle's security advisory at https://www.oracle.com/security-alerts/cpujan2025.html provides details on the vulnerability and mitigation, including patches for affected versions. Organizations should apply the recommended updates to versions 9.2.9.0 and later to address the issue.

Details

CWE(s): CWE-346

Affected Products

oracle

jd edwards enterpriseone tools

≤ 9.2.9.0

References

https://www.oracle.com/security-alerts/cpujan2025.html
Vendor Advisory · secalert_us@oracle.com