CVE-2021-35587

CVE Database · CVE-2021-35587

CVE-2021-35587

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

96.28%

Published

Jan 19, 2022

Modified

Oct 27, 2025

CISA Known Exploited Vulnerability

Added: 2022-11-28 · Due: 2022-12-19

Apply updates per vendor instructions.

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-306

Affected Products (3)

oracle · access_managervulnerable

References (3)

https://www.oracle.com/security-alerts/cpujan2022.html

Vendor Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35587

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs