CVE-2023-21844: 
Oracle Peoplesoft Enterprise Peopletools vulnerability analysis and mitigation

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). The vulnerability affects versions 8.59 and 8.60. This is an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. The vulnerability requires human interaction from a person other than the attacker, and while it exists in PeopleTools, attacks may significantly impact additional products (Oracle CPU Jan 2023).

The vulnerability has been assigned a CVSS 3.1 Base Score of 5.4, indicating MEDIUM severity. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, which indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, and low impacts on confidentiality and integrity with no impact on availability (Oracle CPU Jan 2023).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data (NVD).

Oracle has released patches to address this vulnerability as part of the January 2023 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU Jan 2023).