CVE-2022-39412: 
Oracle Access Manager vulnerability analysis and mitigation

A vulnerability (CVE-2022-39412) was discovered in Oracle Access Manager's Admin Console component, affecting version 12.2.1.4.0. This vulnerability allows unauthenticated attackers with network access via HTTP to potentially compromise Oracle Access Manager. The vulnerability was disclosed in October 2022 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability exists within the handling of the ContextValue parameter provided to the CustomReadServlet endpoint. The specific flaw stems from the lack of proper validation of a user-supplied path prior to using it in file operations. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (ZDI Advisory).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Access Manager accessible data. An attacker can leverage this vulnerability to disclose stored credentials, potentially leading to further system compromise (ZDI Advisory).

Oracle has released security patches to address this vulnerability as part of their October 2022 Critical Patch Update. Organizations using affected versions of Oracle Access Manager should apply the available security patches immediately (Oracle CPU).