Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to download files.
Oracle Agile PLM is a software platform that enables businesses to manage product data, processes, and collaboration across global teams.
Yesterday, Oracle urged Agile PLM customers to install the latest version to fix the CVE-2024-21287 flaw.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure,” warned Oracle.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
While Oracle stated that the flaw was disclosed by Joel Snape and Lutz Wolf of CrowdStrike, the advisory did not indicate that it was actively exploited.
However, a later blog post by Oracle’s Vice President of Security Assurance, Eric Maurice, confirmed that it was exploited in attacks.
“This vulnerability affects Oracle Agile Product Lifecycle Management (PLM). It was reported as being actively exploited “in the wild” by CrowdStrike,” reads the post by Maurice.
“This vulnerability has received a CVSS Base Score of 7.5. If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application.”
It is unclear how the flaw is currently being exploited and if the attacks have been attributed to a particular threat actor.
BleepingComputer contacted both CrowdStrike and Oracle for more information but has not received a response yet.
