Oracle is warning that a high-severity security flaw has been exploited in the wild that affects the Agile Product Lifecycle Management (PLM) Framework.
Vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), can be used without authentication to leak sensitive information.
“This vulnerability can be exploited remotely without authentication, ie. it can be used over the network without the need to enter a username and password,” the message says. said in the advisory. “If successfully exploited, this vulnerability could lead to file disclosure.”
CrowdStrike security researchers Joel Snape and Lutz Wolf are credited with discovering and reporting the flaw.
There is currently no information on who is exploiting the vulnerability, the targets of the malicious activity, or how widespread these attacks are.
“If successfully exploited, an unauthenticated attacker could download files from the target system that are accessible under the privileges used by the PLM application,” said Eric Morris, Oracle’s vice president of security. said.
Due to active exploitation, users are advised to apply the latest patches as soon as possible for optimal protection.
The Hacker News has reached out to Oracle and CrowdStrike for comment. We’ll update this story when we hear back.
