CVE-2025-21547
Published: 21 January 2025
Description
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and 5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Security Summary
CVE-2025-21547 is a vulnerability in the Opera Servlet component of Oracle Hospitality OPERA 5, which is part of Oracle Hospitality Applications. The supported versions affected by this issue are 5.6.19.20, 5.6.25.8, 5.6.26.6, and 5.6.27.1. It is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS 3.1 base score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, emphasizing high impacts on confidentiality and availability.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Hospitality OPERA 5. Successful attacks enable unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data, along with the unauthorized ability to cause a hang or frequently repeatable crash, resulting in a complete denial of service.
Mitigation details are provided in the Oracle Critical Patch Update advisory available at https://www.oracle.com/security-alerts/cpujan2025.html, published on 2025-01-21. Security practitioners should consult this advisory for patch information and recommended actions specific to the affected versions.
Details
- CWE(s)