CVE-2022-21587 CRITICAL

CVE-2022-21587

Vendor Oracle Corporation
Product Web Applications Desktop Integrator
KEV Status Known Exploited
Ransomware Used in campaigns
Published October 18, 2022
Last update October 21, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

October 18, 2022 CVE published
October 21, 2025 Record updated