Oracle has mounted an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Administration (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to obtain information.
Oracle Agile PLM is a software program platform that permits companies to handle product information, processes, and collaboration throughout international groups.
Yesterday, Oracle urged Agile PLM prospects to put in the most recent model to repair the CVE-2024-21287 flaw.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure,” warned Oracle.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
Whereas Oracle acknowledged that the flaw was disclosed by Joel Snape and Lutz Wolf of CrowdStrike, the advisory didn’t point out that it was actively exploited.
Nonetheless, a later weblog publish by Oracle’s Vice President of Safety Assurance, Eric Maurice, confirmed that it was exploited in assaults.
“This vulnerability affects Oracle Agile Product Lifecycle Management (PLM). It was reported as being actively exploited “within the wild” by CrowdStrike,” reads the publish by Maurice.
“This vulnerability has received a CVSS Base Score of 7.5. If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application.”
It’s unclear how the flaw is at the moment being exploited and if the assaults have been attributed to a selected risk actor.
BleepingComputer contacted each CrowdStrike and Oracle for extra info however has not obtained a response but.
