CVE-2024-20916
SQL injection in sortBy GET parameter
8.3 (High)
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Oracle Enterprise Manager Base Platform
13.5.0.0
Patryk Rejchert
SQL injection was identified in the Oracle Enterprise Manager Base Platform (OEM BP) in the Event Management component. The version that is affected is 13.5.0.0. Vulnerability allows attacker with valid credentials to compromise OEM BP. While the vulnerability is in OEM BP, attacks may significantly impact additional products (scope change).
Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all OEM BP accessible data, as well as unauthorized access to critical data and unauthorized ability to cause a partial denial of service (partial DOS) of OEM BP.
In order to exploit the vulnerability you have to perform below query: GET /em/api/incidentCompressionPolicies/?offset=0&count=15&sortBy=order%3aasc%2c(SELECT%20(CASE%20WHEN%20(1%3d1)%20THEN%201%20ELSE%20CAST(1%20AS%20INT)%2f(SELECT%200%20FROM%20DUAL)%20END)%20FROM%20DUAL) HTTP/1.1
[…REDACTED…]
Which will return valid data only in case of valid SQL condition 1=1 (marked with bold): "
- 12-06-2023 - Vulnerability reported to vendor
- 16-01-2024 - Security advisory is published by the vendor
- 18-07-2025 - PoC published