CVE-2025-21515

High

Published: 21 January 2025

Published

21 January 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0095 76.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Security Summary

CVE-2025-21515 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. Supported versions affected are those prior to 9.2.9.0. The issue, linked to CWE-306, carries a CVSS 3.1 base score of 8.8 (vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.

A low-privileged attacker (PR:L) with network access via HTTP can easily exploit this vulnerability without user interaction. Successful exploitation allows compromise of JD Edwards EnterpriseOne Tools, enabling full takeover of the application.

Oracle's Critical Patch Update for January 2025 details mitigation steps, including patches to address the vulnerability in affected versions. Security practitioners should consult https://www.oracle.com/security-alerts/cpujan2025.html and upgrade to version 9.2.9.0 or later.

Details

CWE(s): CWE-306

Affected Products

oracle

jd edwards enterpriseone tools

≤ 9.2.9.0

References

https://www.oracle.com/security-alerts/cpujan2025.html
Vendor Advisory · secalert_us@oracle.com