Oracle Critical Patch Update Advisory

Summarize this content to 600 words
Oracle Critical Patch Update Advisory – April 2025
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 378 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2025 Critical Patch Update: Executive Summary and Analysis.
Affected Products and Patch Information
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions
Patch Availability Document

Autonomous Health Framework, versions 23.8.0-23.11.0, 24.1.0-24.11.0, 25.1.0, 25.2.0
Oracle Autonomous Health Framework

GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.10
Database

JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.9.2
JD Edwards

Management Cloud Engine, version 24.3.0
Management Cloud Engine

MySQL Client, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL

MySQL Cluster, versions 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL

MySQL Connectors, versions 9.0.0-9.2.0
MySQL

MySQL Enterprise Backup, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL

MySQL Server, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL

MySQL Shell, versions 8.0.32-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
MySQL

MySQL Workbench, versions 8.0.0-8.0.41
MySQL

Oracle Access Manager, version 12.2.1.4.0
Fusion Middleware

Oracle Agile Engineering Data Management, version 6.2.1
Oracle Supply Chain Products

Oracle Application Express, versions 23.2.15, 23.2.16, 24.1.9, 24.1.10, 24.2.3, 24.2.4
Database

Oracle Application Testing Suite, version 13.3.0.1
Oracle Enterprise Manager

Oracle Banking APIs, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
Contact Support

Oracle Banking Corporate Lending Process Management, versions 14.5.0.0.0-14.7.0.0.0
Contact Support

Oracle Banking Digital Experience, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
Contact Support

Oracle Banking Liquidity Management, version 14.7.0.7.0
Contact Support

Oracle Banking Origination, versions 14.5.0.0.0-14.7.0.0.0
Contact Support

Oracle BI Publisher, versions 7.6.0.0.0, 12.2.1.4.0
Oracle Analytics

Oracle Business Activity Monitoring, version 14.1.2.0.0
Fusion Middleware

Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0, 12.2.1.4.0
Oracle Analytics

Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0
Fusion Middleware

Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
Fusion Middleware

Oracle Commerce Guided Search, versions 11.3.2, 11.4.0
Oracle Commerce

Oracle Commerce Merchandising, versions 11.3.0, 11.3.1, 11.3.2
Oracle Commerce

Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2, 11.4.0
Oracle Commerce

Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0
Oracle Communications Billing and Revenue Management

Oracle Communications Cloud Native Core Binding Support Function, versions 24.2.0-24.2.2
Oracle Communications Cloud Native Core Binding Support Function

Oracle Communications Cloud Native Core Certificate Management, version 24.2.2
Oracle Communications Cloud Native Core Certificate Management

Oracle Communications Cloud Native Core Console, version 24.2.2
Oracle Communications Cloud Native Core Console

Oracle Communications Cloud Native Core DBTier, versions 24.2.3, 24.2.4, 24.3.0
Oracle Communications Cloud Native Core DBTier

Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0
Oracle Communications Cloud Native Core Network Data Analytics Function

Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 24.2.5, 25.1.100
Oracle Communications Cloud Native Core Network Function Cloud Native Environment

Oracle Communications Cloud Native Core Network Repository Function, version 24.2.3
Oracle Communications Cloud Native Core Network Repository Function

Oracle Communications Cloud Native Core Policy, versions 24.2.0-24.2.4
Oracle Communications Cloud Native Core Policy

Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 24.2.2, 24.2.3, 24.3.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy

Oracle Communications Cloud Native Core Service Communication Proxy, versions 24.2.0, 24.2.3, 24.3.0, 25.1.100
Oracle Communications Cloud Native Core Service Communication Proxy

Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.0, 23.1.0-23.4.0, 24.2.3, 25.1.100
Oracle Communications Cloud Native Core Unified Data Repository

Oracle Communications Diameter Signaling Router, version 9.0.0.0
Oracle Communications Diameter Signaling Router

Oracle Communications EAGLE Element Management System, version 46.6
Oracle Communications EAGLE Element Management System

Oracle Communications Element Manager, versions 9.0.0-9.0.3
Oracle Communications Element Manager

Oracle Communications Messaging Server, version 8.1.0.26.0
Oracle Communications Messaging Server

Oracle Communications MetaSolv Solution, version 6.3.1
Oracle Communications MetaSolv Solution

Oracle Communications Network Analytics Data Director, versions 24.1.0-24.3.0
Oracle Communications Network Analytics Data Director

Oracle Communications Network Charging and Control, versions 12.0.6.0.0, 15.0.0.0.0, 15.0.1.0.0
Oracle Communications Network Charging and Control

Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0
Oracle Communications Network Integrity

Oracle Communications Operations Monitor, version 5.2
Oracle Communications Operations Monitor

Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0
Oracle Communications Order and Service Management

Oracle Communications Policy Management, version 15.0.0.0.0
Oracle Communications Policy Management

Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0
Oracle Communications Pricing Design Center

Oracle Communications Service Catalog and Design, versions 8.0.0.4.0, 8.1.0.2.0
Oracle Communications Service Catalog and Design

Oracle Communications Session Border Controller, versions 9.2.0, 9.3.0, 10.0.0
Oracle Communications Session Border Controller

Oracle Communications Session Report Manager, versions 9.0.0-9.0.3
Oracle Communications Session Report Manager

Oracle Communications Unified Assurance, versions 6.0-6.1
Oracle Communications Unified Assurance

Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0-7.5.1, 7.6.0, 7.7.0
Oracle Communications Unified Inventory Management

Oracle Communications User Data Repository, versions 14.0.0, 15.0.0, 15.0.1, 15.0.2
Oracle Communications User Data Repository

Oracle Data Integrator, version 12.2.1.4.0
Fusion Middleware

Oracle Database Server, versions 19.3-19.26, 21.3-21.17, 23.4-23.7
Database

Oracle Demantra Demand Management, versions 12.2.6-12.2.14
Oracle Supply Chain Products

Oracle Documaker, versions 12.7.1.6, 12.7.2.3, 13.0.0.1
Oracle Insurance Applications

Oracle E-Business Suite, versions 12.2.3-12.2.14, (ECC) 12-13
Oracle E-Business Suite

Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0
Oracle Enterprise Communications Broker

Oracle Enterprise Manager Base Platform, versions 13.5.0.0.0, 24.1.0.0.0
Oracle Enterprise Manager

Oracle Essbase, version 21.7.1.0.0
Database

Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.8, 8.0.8.6, 8.1.1.4, 8.1.2.5
Oracle Financial Services Analytical Applications Infrastructure

Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.8, 8.1.2.9
Oracle Financial Services Behavior Detection Platform

Oracle Financial Services Compliance Studio, version 8.1.2.9
Oracle Financial Services Compliance Studio

Oracle Financial Services Model Management and Governance, version 8.1.2.7.0
Oracle Financial Services Model Management and Governance

Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0-7.0.0.0.0
Oracle Financial Services Revenue Management and Billing

Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition

Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
Fusion Middleware

Oracle GoldenGate, versions 19.1.0.0.0-19.26.0.0.250219, 21.3-21.17, 23.4-23.7
Database

Oracle GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.241210
Database

Oracle GraalVM Enterprise Edition, versions 20.3.17, 21.3.13
Java SE

Oracle GraalVM for JDK, versions 17.0.14, 21.0.6, 24
Java SE

Oracle Graph Server and Client, versions 23.4.3, 23.4.4, 24.3.0, 24.4.0
Database

Oracle Hospitality Cruise Shipboard Property Management System, version 23.2.1
Oracle Hospitality Cruise Shipboard Property Management System

Oracle Hospitality Reporting and Analytics, versions 9.1.34-9.1.36
Oracle Hospitality Reporting and Analytics

Oracle Hospitality Simphony, versions 19.1-19.7
Oracle Hospitality Simphony

Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0
Fusion Middleware

Oracle Hyperion Financial Reporting, version 11.2.19.0.0
Oracle Enterprise Performance Management

Oracle Hyperion Infrastructure Technology, version 11.2.19.0.0
Oracle Enterprise Performance Management

Oracle Java SE, versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24
Java SE

Oracle JDeveloper, version 12.2.1.4.0
Fusion Middleware

Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0
Fusion Middleware

Oracle NoSQL Database, versions 1.5.0, 1.6.0, 1.6.1
NoSQL Database

Oracle Outside In Technology, version 8.5.7
Fusion Middleware

Oracle Policy Automation, versions 12.2.0-12.2.36
Oracle Policy Automation

Oracle Policy Modeling, versions 12.2.0-12.2.36
Oracle Policy Automation

Oracle REST Data Services, versions 23.1, 23.2, 23.3, 23.4
Database

Oracle Retail Order Broker, version 19.1
Retail Applications

Oracle Retail Store Inventory Management, version 16.0.3.16
Retail Applications

Oracle Retail Xstore Point of Service, versions 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
Retail Applications

Oracle SD-WAN Aware, version 9.0.1.11
Oracle SD-WAN Aware

Oracle SD-WAN Edge, version 9.1.1.9
Oracle SD-WAN Edge

Oracle Secure Backup, versions 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1, 18.1.0.2, 19.1.0.0
Oracle Secure Backup

Oracle Service Bus, version 12.2.1.4.0
Fusion Middleware

Oracle Smart View for Office, version 24.200
Oracle Enterprise Performance Management

Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0
Fusion Middleware

Oracle Solaris, version 11
Systems

Oracle SQL Developer, version 24.3.1.347.1826
Database

Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.30.0
Database

Oracle Utilities Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0
Oracle Utilities Applications

Oracle VM VirtualBox, version 7.1.6
Virtualization

Oracle WebCenter Forms Recognition, version 14.1.1.0.0
Fusion Middleware

Oracle WebCenter Portal, version 12.2.1.4.0
Fusion Middleware

Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware

OSS Support Tools, versions 2.11.0-2.12.46, 8.0-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1
Oracle Support Tools

PeopleSoft Enterprise CC Common Application Objects, version 9.2
PeopleSoft

PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2
PeopleSoft

PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61, 8.62
PeopleSoft

Primavera Gateway, versions 20.12.0-20.12.17, 21.12.0-21.12.15
Oracle Construction and Engineering Suite

Primavera P6 Enterprise Project Portfolio Management, versions 22.12.0-22.12.18, 23.12.0-23.12.13, 24.12.0-24.12.2
Oracle Construction and Engineering Suite

Primavera Unifier, versions 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3
Oracle Construction and Engineering Suite

Siebel Applications, versions 17.0-25.2
Siebel

Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE ID. A vulnerability that affects multiple products will appear with the same CVE ID in all risk matrices.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
Vulnerabilities in third party components that are not exploitable through their inclusion in Oracle products are listed below the respective Oracle product’s risk matrix. Starting with the July 2023 Critical Patch Update, a VEX justification is also provided.
The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy that further supplements the Lifetime Support Policy as explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Aamir Rehman Yousafzai: CVE-2025-30707, CVE-2025-30708
Abhijit Gaikwad: CVE-2025-30737
Ahmed Abbas: CVE-2025-30716, CVE-2025-30717
Alaa Kachouh: CVE-2025-30737
Alberto Arganese of TIM S.p.A.: CVE-2025-30694
Alexandre Aubut of Centre Gouvernementale de cyberdéfense du Québec: CVE-2025-30730, CVE-2025-30731, CVE-2025-30732
Alicja Kario: CVE-2025-21587
Athul Jayaram: CVE-2025-21576
AWS Security of Amazon: CVE-2025-30722
Brandon Cox of 3D Systems: CVE-2025-30692
Brandon Stamm: CVE-2025-30709
Craig at driftnet.io: CVE-2025-30733
Cristian Castrechini of TIM S.p.A.: CVE-2025-30694
CVR of Google: CVE-2025-30712
Dominique RIGHETTO of Excellium Cyber Solution By Thales: CVE-2025-30713
Federico Draghelli of TIM S.p.A.: CVE-2025-30694
François Longchamps of Centre Gouvernementale de cyberdéfense du Québec: CVE-2025-30730, CVE-2025-30731, CVE-2025-30732
Giulio Schiavone: CVE-2025-21586, CVE-2025-30740
IuHrm: CVE-2025-30726, CVE-2025-30727, CVE-2025-30728
Jakub Barton: CVE-2025-30714
Jean-Michel Huguet of NATO Cyber Security Centre (NCSC): CVE-2025-30723, CVE-2025-30724
JiAn Zhou of Alibaba: CVE-2025-30706
Jie Liang of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
Juan José López Jaimez of Google: CVE-2025-30712
Massimiliano Brolli of TIM S.p.A.: CVE-2025-30694
Michael Kutz: CVE-2025-30701
Mochamad Akbar Anggamaulana: CVE-2025-30718
Théo GOBINET of ENGIE IT Offensive Cybersecurity Team: CVE-2025-30711
Ying Zhu of Alibaba: CVE-2025-30706
Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
Ziyang Li of Alibaba: CVE-2025-30706
Zong Cao: CVE-2025-30719
Zong Cao of Cyber Security Lab of NTU: CVE-2025-30725
Zongrui Peng of WingTecher Lab of Tsinghua University: CVE-2025-30687, CVE-2025-30688

Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

Amichai Rothman
Markus Loewe of Onapsis
Orange Tsai
Rowan Crane
Splitline Huang of DEVCORE Research Team
Yakov Shafranovich of Amazon Web Services (4 reports)

On-Line Presence Security Contributors
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abdulaziz Alzahrani (2 reports)
Ahmed Al-Saleem
Andr. Ess (4 reports)
David Krause of HCA Healthcare
Dung Nguyen Anh
Firewallresearch
Herry Poter
Jashim Uddin Bhuiyan
Jeffrey Bencteux of Improsec
Kyle Burbank
Le Ngoc Anh
Milan Katwal
Miracles
Mohaned Ahmed
Muhammad Usama Arshad
Packy Jones
Praveen Das
Sanjith Roshan
Shivam Dhingra
Syed Sohaib Karim
Turbolego Fiberkanin
Yasser Alhazmi of Thawd.io (2 reports)
YiKun Zhao

Critical Patch Update Schedule
Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

15 July 2025
21 October 2025
20 January 2026
21 April 2026

References

 
Modification History

Date
Note

2025-April-15
Rev 1. Initial Release.

Oracle Database Products Risk Matrices
This Critical Patch Update contains 17 new security patches for Oracle Database Products divided as follows:

7 new security patches for Oracle Database Products
No new security patches for Oracle Application Express, but third party patches are provided
1 new security patch for Oracle Autonomous Health Framework
1 new security patch for Oracle Essbase
4 new security patches for Oracle GoldenGate
1 new security patch for Oracle Graph Server and Client
No new security patches for Oracle NoSQL Database, but third party patches are provided
No new security patches for Oracle REST Data Services, but third party patches are provided
1 new security patch for Oracle Secure Backup
No new security patches for Oracle SQL Developer, but third party patches are provided
2 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Database Products.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  2 of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE ID
Component
Package and/or Privilege Required
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30736
Java VM
None
Multiple
Yes
7.4
Network
High
None
None
Un-changed
High
High
None
19.3-19.26, 21.3-21.17, 23.4-23.7
 

CVE-2025-30701
RAS Security
User Account
Oracle Net
No
7.3
Network
Low
Low
Required
Un-changed
High
High
None
19.3-19.26, 21.3-21.17, 23.4-23.7
 

CVE-2025-30733
RDBMS Listener
None
Oracle Net
Yes
6.5
Network
Low
None
Required
Un-changed
High
None
None
19.3-19.26, 21.3-21.17, 23.4-23.7
 

CVE-2025-30694
XML Database
User Account
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
19.3-19.26, 21.3-21.17, 23.4-23.7
 

CVE-2025-30702
Fleet Patching & Provisioning
None
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
19.3-19.26
 

CVE-2024-13176
Oracle Database (OpenSSL)
None
None
No
4.3
Physical
Low
None
None
Un-changed
Low
Low
Low
23.4-23.7
 

CVE-2020-36843
Oracle Database SQLCl (EdDSA)
None
SSH
No
4.3
Local
Low
None
None
Changed
None
Low
None
23.4-23.7
 

Additional CVEs addressed are:

The patch for CVE-2024-13176 also addresses CVE-2022-3786 and CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Database Grid (Apache Tomcat): CVE-2025-24813 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).
Oracle Database Workload Manager (Eclipse Jetty): CVE-2024-8184 and CVE-2024-6763 (VEX Justification: vulnerable_code_not_in_execute_path).
Oracle Spatial and Graph Mapviewer (Curl): CVE-2024-11053 (VEX Justification: vulnerable_code_not_in_execute_path).
Perl (Libexpat): CVE-2024-8176 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2024-13176 and CVE-2020-36843.

 
Oracle Application Express Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Application Express.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Application Express.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Application Express

General (DOMPurify): CVE-2025-26791 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).
General (PrismJS): CVE-2024-53382 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).

 
Oracle Autonomous Health Framework Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Autonomous Health Framework.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-24549
Autonomous Health Framework
Trace File Analyzer (Apache Tomcat)
HTTP/2
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
23.8.0-23.11.0, 24.1.0-24.11.0, 25.1.0,25.2.0
 

Additional CVEs addressed are:

The patch for CVE-2024-24549 also addresses CVE-2020-11996, CVE-2020-13935, CVE-2020-13943, CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2021-24122, CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-43980, CVE-2022-25762, CVE-2022-42252, CVE-2023-28708, CVE-2023-41080, CVE-2023-42795, CVE-2023-44487, CVE-2023-45648, CVE-2023-46589, and CVE-2024-23672.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Autonomous Health Framework

Trace File Analyzer (json-smart): CVE-2024-57699 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Essbase Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Essbase.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-13176
Oracle Essbase
Web Platform (OpenSSL)
None
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
21.7.1.0.0
 

Additional CVEs addressed are:

The patch for CVE-2024-13176 also addresses CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Essbase

Marketplace (jackson-databind): CVE-2021-42575 (VEX Justification: vulnerable_code_not_in_execute_path).
Web Platform (RequireJS): CVE-2024-38999 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 4 new security patches, plus additional third party patches noted below, for Oracle GoldenGate.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-39338
Oracle GoldenGate
Internal Framework (Axios)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
21.3-21.17, 23.4-23.7
 

CVE-2024-36114
GoldenGate Stream Analytics
Stream Analytics (Aircompressor)
HTTP
No
5.3
Network
High
High
Required
Un-changed
Low
Low
High
19.1.0.0.0-19.1.0.0.10
 

CVE-2021-41184
Oracle GoldenGate
Embedded Web UI for Services (jQueryUI)
HTTP
Yes
4.0
Network
High
None
None
Changed
None
None
Low
19.1.0.0.0-19.26.0.0.250219, 21.3-21.17
 

CVE-2024-47561
GoldenGate Stream Analytics
Stream Analytics (Apache Avro)
HTTP
No
3.8
AdjacentNetwork
High
High
Required
Un-changed
Low
Low
Low
19.1.0.0.0-19.1.0.0.10
 

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

GoldenGate Stream Analytics

General Issues (urllib3): CVE-2024-37891 (VEX Justification: vulnerable_code_not_in_execute_path).
Security (Spring Framework): CVE-2023-34053 (VEX Justification: vulnerable_code_not_in_execute_path).

Oracle GoldenGate Veridata

Veridata (Spring Framework): CVE-2024-38819 and CVE-2024-38820 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Graph Server and Client.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-6763
Graph Server and Client
Install (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
23.4.4, 24.4.0
 

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Graph Server and Client

Install (Apache Commons IO): CVE-2024-47554 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle NoSQL Database.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle NoSQL Database.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle NoSQL Database

Administration (Aircompressor): CVE-2024-36114 (VEX Justification: vulnerable_code_not_in_execute_path).
Administration (Apache Commons IO): CVE-2024-47554 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle REST Data Services Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle REST Data Services.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle REST Data Services.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle REST Data Services

General (Apache Commons IO): CVE-2024-47554 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Secure Backup.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-21578
Oracle Secure Backup
General
None
No
6.7
Local
Low
High
None
Un-changed
High
High
High
12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1, 18.1.0.2
 

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Secure Backup

Oracle Secure Backup (PHP): CVE-2024-11236, CVE-2024-11233 and CVE-2024-11234 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle SQL Developer Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle SQL Developer.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle SQL Developer.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle SQL Developer

Install (Apache Commons IO): CVE-2024-47554 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle TimesTen In-Memory Database.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-24970
Oracle TimesTen In-Memory Database
EM TimesTen plug-in (Netty)
TLS
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
22.1.1.1.0-22.1.1.30.0
 

CVE-2024-47554
Oracle TimesTen In-Memory Database
EM TimesTen plug-in (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
22.1.1.1.0-22.1.1.30.0
 

Additional CVEs addressed are:

The patch for CVE-2025-24970 also addresses CVE-2025-25193.

 
Oracle Commerce Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Commerce.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-24813
Oracle Commerce Guided Search
Content Acquisition System (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
11.3.2, 11.4.0
 

CVE-2021-23450
Oracle Commerce Merchandising
Asset Manager (dojo)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
11.3.0, 11.3.1, 11.3.2
 

CVE-2024-38819
Oracle Commerce Guided Search
Content Acquisition System (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
11.3.2, 11.4.0
 

CVE-2024-45613
Oracle Commerce Platform
Platform (CKEditor)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
11.3.0, 11.3.1, 11.3.2, 11.4.0
 

CVE-2025-21576
Oracle Commerce Platform
Dynamo Personalization Server
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
11.3.0, 11.3.1, 11.3.2
 

CVE-2023-51074
Oracle Commerce Guided Search
Content Acquisition System (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
11.3.2, 11.4.0
 

Additional CVEs addressed are:

The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 
Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 42 new security patches for Oracle Communications Applications.  35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-52046
Oracle Communications Network Integrity
FileTransferJCA, VPLS Cartridge, TL1 Cartridge (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
7.3.6, 7.4.0, 7.5.0
 

CVE-2024-52046
Oracle Communications Unified Assurance
Core (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
6.0-6.1
 

CVE-2025-24813
Oracle Communications Unified Assurance
Core (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
6.0-6.1
 

CVE-2024-40896
Oracle Communications Unified Assurance
Core (libxml2)
HTTP
Yes
9.1
Network
Low
None
None
Un-changed
None
High
High
6.0-6.1
 

CVE-2025-24970
Oracle Communications Billing and Revenue Management
Security (Netty)
TCP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0
 

CVE-2025-24970
Oracle Communications Messaging Server
Security (Netty)
TCP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
8.1.0.26.0
 

CVE-2024-28168
Oracle Communications MetaSolv Solution
Print Preview (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
6.3.1
 

CVE-2025-24970
Oracle Communications Network Charging and Control
REST (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.0.6.0.0, 15.0.0.0.0, 15.0.1.0.0
 

CVE-2025-24970
Oracle Communications Order and Service Management
Security (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.5.0
 

CVE-2024-57699
Oracle Communications Order and Service Management
Security (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.5.0
 

CVE-2025-24970
Oracle Communications Pricing Design Center
REST Services Manager (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0
 

CVE-2025-24970
Oracle Communications Service Catalog and Design
Solution Designer (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
8.0.0.4.0, 8.1.0.2.0
 

CVE-2024-43709
Oracle Communications Unified Assurance
Core (Elasticsearch)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
6.0
 

CVE-2025-24970
Oracle Communications Unified Assurance
Core (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
6.0-6.1
 

CVE-2024-38819
Oracle Communications Unified Assurance
Core (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
6.0-6.1
 

CVE-2024-7254
Oracle Communications Unified Inventory Management
Security (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.4.0-7.4.2, 7.5.0-7.5.1
 

CVE-2024-47072
Oracle Communications Unified Inventory Management
Security (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.4.0-7.4.2, 7.5.0, 7.5.1, 7.6.0, 7.7.0
 

CVE-2024-57699
Oracle Communications Unified Inventory Management
Security (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.5.1, 7.6.0, 7.7.0
 

CVE-2024-12798
Oracle Communications Service Catalog and Design
Solution Designer (logback)
None
No
6.6
Local
High
Low
Required
Changed
Low
High
Low
8.0.0.4.0, 8.1.0.2.0
 

CVE-2023-5388
Oracle Communications Messaging Server
Security (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
8.1.0.26.0
 

CVE-2024-31141
Oracle Communications Unified Assurance
Microservices (Apache Kafka)
HTTP
No
6.5
Network
Low
Low
None
Un-changed
High
None
None
6.0-6.1
 

CVE-2023-5388
Oracle Communications Unified Assurance
Core (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
6.0-6.1
 

CVE-2024-50602
Oracle Communications Unified Assurance
Core (LibExpat)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
6.0-6.1
 

CVE-2024-35195
Oracle Communications Billing and Revenue Management
Platform (requests)
None
No
5.6
Local
High
High
Required
Un-changed
High
High
None
12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0
 

CVE-2025-23084
Oracle Communications Unified Assurance
Core (Node.js)
None
No
5.6
Local
Low
Low
Required
Un-changed
High
Low
None
6.0-6.1
 

CVE-2024-53122
Oracle Communications Billing and Revenue Management
Connection Manager (Python)
None
No
5.5
Local
Low
Low
None
Un-changed
None
None
High
15.0.1.0.0
 

CVE-2025-30729
Oracle Communications Order and Service Management
Security
HTTP
No
5.5
Network
Low
Low
Required
Un-changed
Low
Low
Low
7.4.0, 7.4.1, 7.5.0
 

CVE-2023-49582
Oracle Communications Unified Assurance
Core (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
6.0-6.1
 

CVE-2024-34064
Oracle Communications Unified Assurance
Core (Jinja)
HTTP
Yes
5.4
Network
Low
None
Required
Un-changed
Low
Low
None
6.0-6.1
 

CVE-2024-56128
Oracle Communications Billing and Revenue Management
Platform (Apache Kafka)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0
 

CVE-2023-51074
Oracle Communications Order and Service Management
Security (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
7.5.0
 

CVE-2023-51074
Oracle Communications Unified Inventory Management
Infrastructure (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
7.5.1
 

CVE-2024-56128
Oracle Communications Unified Inventory Management
Security (Apache Kafka)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
7.5.1, 7.6.0, 7.7.0
 

CVE-2024-43796
Oracle Communications Unified Assurance
User Interface (Express.js)
HTTP
Yes
4.7
Network
High
None
Required
Changed
Low
Low
None
6.0-6.1
 

CVE-2024-47554
Oracle Communications Billing and Revenue Management
Security (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0
 

CVE-2024-47554
Oracle Communications Messaging Server
Security (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
8.1.0.26.0
 

CVE-2024-47554
Oracle Communications MetaSolv Solution
JSP Pages (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
6.3.1
 

CVE-2024-47554
Oracle Communications Order and Service Management
Security (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
7.5.0, 7.4.1, 7.4.0
 

CVE-2024-47554
Oracle Communications Pricing Design Center
On-premise Deployment (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0
 

CVE-2024-47554
Oracle Communications Unified Assurance
Core (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
6.0-6.1
 

CVE-2024-47554
Oracle Communications Unified Inventory Management
Security (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
7.4.1, 7.4.2, 7.5.0, 7.5.1
 

CVE-2024-11053
Oracle Communications Unified Assurance
Core (curl)
HTTP
Yes
3.4
Network
High
None
Required
Changed
Low
None
None
6.0-6.1
 

Additional CVEs addressed are:

The patch for CVE-2024-12798 also addresses CVE-2024-12801.
The patch for CVE-2025-24970 also addresses CVE-2025-25193.
The patch for CVE-2025-23084 also addresses CVE-2025-23083 and CVE-2025-23085.
The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 
Oracle Communications Risk Matrix

This Critical Patch Update contains 103 new security patches, plus additional third party patches noted below, for Oracle Communications.  82 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-56337
Management Cloud Engine
BEServer (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
24.3.0
 

CVE-2024-52046
Management Cloud Engine
BEServer (Apache Mina SSHD)
SSH
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
24.3.0
 

CVE-2024-56337
Oracle Communications Cloud Native Core Network Data Analytics Function
Automated Test Suite (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
24.2.0
 

CVE-2025-1974
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (Ingress NGINX Controller)
TCP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
24.2.5
 

CVE-2025-24813
Oracle Communications Element Manager
Web UI (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
9.0.0-9.0.3
 

CVE-2025-24813
Oracle Communications Policy Management
Configuration Management Platform (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
15.0.0.0.0
 

CVE-2025-24813
Oracle Communications Session Report Manager
Web UI (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
9.0.0-9.0.3
 

CVE-2025-24813
Oracle SD-WAN Edge
Internal Tools (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
9.1.1.9
 

CVE-2024-40896
Oracle Communications Cloud Native Core Network Data Analytics Function
Automated Test Suite (libxml2)
HTTP
Yes
9.1
Network
Low
None
None
Un-changed
None
High
High
24.2.0
 

CVE-2024-40896
Oracle Communications Cloud Native Core Unified Data Repository
Install (libxml2)
HTTP
Yes
9.1
Network
Low
None
None
Un-changed
None
High
High
25.1.100
 

CVE-2024-5535
Oracle Communications Session Border Controller
Routing (OpenSSL)
HTTPS
Yes
9.1
Network
Low
None
None
Un-changed
High
None
High
9.2.0, 9.3.0, 10.0.0
 

CVE-2024-5535
Oracle Enterprise Communications Broker
Routing (OpenSSL)
TLS
Yes
9.1
Network
Low
None
None
Un-changed
High
None
High
4.1.0, 4.2.0
 

CVE-2024-25638
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (dnsjava)
HTTP
Yes
8.9
Network
High
None
None
Changed
High
High
Low
24.1.0
 

CVE-2024-43044
Oracle Communications Policy Management
Configuration Management Platform (Jenkins)
HTTP
No
8.8
Network
Low
Low
None
Un-changed
High
High
High
15.0.0.0.0
 

CVE-2025-27516
Oracle Communications Cloud Native Core Binding Support Function
Alarms, KPI, and Measurements (Jinja)
None
No
7.8
Local
Low
Low
None
Un-changed
High
High
High
24.2.0-24.2.2
 

CVE-2025-24928
Oracle Communications Cloud Native Core DBTier
Configuration (libxml2)
None
No
7.8
Local
High
None
None
Changed
High
High
None
24.2.4
 

CVE-2025-27516
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (Jinja)
None
No
7.8
Local
Low
Low
None
Un-changed
High
High
High
24.2.5
 

CVE-2025-27516
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (Jinja)
None
No
7.8
Local
Low
Low
None
Un-changed
High
High
High
24.2.0-24.2.4
 

CVE-2024-7254
Oracle Communications Cloud Native Core Binding Support Function
Install (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.2
 

CVE-2024-1135
Oracle Communications Cloud Native Core Binding Support Function
Install (Gunicorn)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
High
None
24.2.0-24.2.2
 

CVE-2025-24970
Oracle Communications Cloud Native Core Binding Support Function
Install (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.2
 

CVE-2024-47072
Oracle Communications Cloud Native Core Binding Support Function
Install (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.2
 

CVE-2024-57699
Oracle Communications Cloud Native Core Binding Support Function
Install (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.2
 

CVE-2025-24970
Oracle Communications Cloud Native Core Certificate Management
Configuration (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.2
 

CVE-2025-24970
Oracle Communications Cloud Native Core Console
Configuration (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.2
 

CVE-2024-52303
Oracle Communications Cloud Native Core Network Data Analytics Function
Automated Test Suite (AIOHTTP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0
 

CVE-2024-38819
Oracle Communications Cloud Native Core Network Data Analytics Function
Automated Test Suite (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
24.2.0
 

CVE-2024-47072
Oracle Communications Cloud Native Core Network Data Analytics Function
Automated Test Suite (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0
 

CVE-2024-7254
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2025-24970
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2023-5685
Oracle Communications Cloud Native Core Network Repository Function
Configuration (XNIO)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2024-47072
Oracle Communications Cloud Native Core Network Repository Function
Configuration (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2024-1135
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (Gunicorn)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
High
None
24.2.0-24.2.4
 

CVE-2025-24970
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.4
 

CVE-2024-47072
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.4
 

CVE-2024-21538
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (cross-spawn)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.4
 

CVE-2024-57699
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.4
 

CVE-2024-7254
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Configuration (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.2, 24.3.0
 

CVE-2024-57699
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Signaling (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2025-24970
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Signaling (Netty)
HTTP/2
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3
 

CVE-2024-49767
Oracle Communications Cloud Native Core Service Communication Proxy
Signaling (Werkzeug)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.0, 24.3.0
 

CVE-2024-57699
Oracle Communications Cloud Native Core Service Communication Proxy
Signaling (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3, 25.1.100
 

CVE-2024-47072
Oracle Communications Cloud Native Core Unified Data Repository
Automated Test Suite Framework (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
25.1.100
 

CVE-2025-24970
Oracle Communications Cloud Native Core Unified Data Repository
Install (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.2.3, 25.1.100
 

CVE-2025-23184
Oracle Communications Cloud Native Core Unified Data Repository
Signaling (Apache CXF)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
25.1.100
 

CVE-2024-28168
Oracle Communications EAGLE Element Management System
Security (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
46.6
 

CVE-2024-38819
Oracle Communications Element Manager
Security (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
9.0.0, 9.0.1, 9.0.2, 9.0.3
 

CVE-2024-49767
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (Werkzeug)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.1.0-24.3.0
 

CVE-2024-47072
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.1.0-24.3.0
 

CVE-2024-57699
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
24.1.0-24.3.0
 

CVE-2024-52303
Oracle Communications Operations Monitor
Mediation Engine (AIOHTTP)
HTTPS
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
5.2
 

CVE-2024-28168
Oracle Communications Policy Management
Configuration Management Platform (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
15.0.0.0.0
 

CVE-2024-47072
Oracle Communications Policy Management
Configuration Management Platform (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
15.0.0.0.0
 

CVE-2024-4227
Oracle Communications Policy Management
Configuration Management Platform (gSOAP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
15.0.0.0.0
 

CVE-2024-4227
Oracle Communications User Data Repository
Platform (gSOAP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
15.0.0, 15.0.1, 15.0.2
 

CVE-2024-7254
Oracle Communications User Data Repository
Security (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
15.0.0, 15.0.1, 15.0.2
 

CVE-2024-38819
Oracle SD-WAN Edge
Internal Tools (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
9.1.1.9
 

CVE-2024-28219
Oracle Communications Policy Management
Configuration Management Platform (Pillow)
None
No
6.7
Local
High
Low
Required
Un-changed
High
High
High
15.0.0.0.0
 

CVE-2023-5388
Oracle Communications Cloud Native Core Binding Support Function
Install (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
24.2.0-24.2.2
 

CVE-2023-5388
Oracle Communications Cloud Native Core Network Repository Function
Configuration (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
24.2.3
 

CVE-2023-5388
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
24.2.0-24.2.4
 

CVE-2023-5388
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
24.1.0-24.3.0
 

CVE-2023-5388
Oracle Communications Policy Management
Configuration Management Platform (NSS)
HTTPS
Yes
6.5
Network
Low
None
None
Un-changed
Low
None
Low
15.0.0.0.0
 

CVE-2024-12797
Oracle Communications Cloud Native Core DBTier
Configuration (Cryptography)
HTTP
Yes
6.3
Network
Low
None
Required
Un-changed
Low
Low
Low
24.2.3, 24.3.0
 

CVE-2024-12797
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Signaling (Cryptography)
HTTP
Yes
6.3
Network
Low
None
Required
Un-changed
Low
Low
Low
24.2.3
 

CVE-2025-27789
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (Babel)
None
No
6.2
Local
Low
None
None
Un-changed
None
None
High
24.2.0-24.2.4
 

CVE-2024-50602
Oracle Communications Cloud Native Core Service Communication Proxy
Signaling (LibExpat)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
24.2.0, 25.1.100
 

CVE-2024-50602
Oracle Communications Network Analytics Data Director
Configuration (LibExpat)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
24.1.0-24.3.0
 

CVE-2024-50602
Oracle Communications User Data Repository
Platform (LibExpat)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
14.0.0, 15.0.0, 15.0.1
 

CVE-2024-35195
Oracle Communications Cloud Native Core Network Repository Function
Configuration (requests)
None
No
5.6
Local
High
High
Required
Un-changed
High
High
None
24.2.3
 

CVE-2024-35195
Oracle Communications Policy Management
Configuration Management Platform (requests)
None
No
5.6
Local
High
High
Required
Un-changed
High
High
None
15.0.0.0.0
 

CVE-2023-49582
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
24.2.3
 

CVE-2023-49582
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Automated Test Suite Framework (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
24.2.3
 

CVE-2023-49582
Oracle Communications Cloud Native Core Service Communication Proxy
Signaling (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
24.2.0, 24.3.0
 

CVE-2023-49582
Oracle Communications Cloud Native Core Unified Data Repository
Automated Test Suite Framework (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
25.1.100
 

CVE-2024-34064
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Jinja)
HTTP
Yes
5.4
Network
Low
None
Required
Un-changed
Low
Low
None
24.2.3
 

CVE-2024-34064
Oracle Communications Diameter Signaling Router
Web UI (Jinja)
HTTP
Yes
5.4
Network
Low
None
Required
Un-changed
Low
Low
None
9.0.0.0
 

CVE-2024-34064
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (Jinja)
HTTP
Yes
5.4
Network
Low
None
Required
Un-changed
Low
Low
None
24.1.0
 

CVE-2024-28834
Management Cloud Engine
BEServer (GnuTLS)
HTTP
No
5.3
Network
High
Low
None
Un-changed
High
None
None
24.3.0
 

CVE-2023-51074
Oracle Communications Cloud Native Core Network Repository Function
Configuration (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
24.2.3
 

CVE-2023-51074
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Configuration (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
24.2.2
 

CVE-2023-51074
Oracle Communications Cloud Native Core Service Communication Proxy
Signaling (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
24.2.0, 24.3.0
 

CVE-2024-6763
Oracle Communications Element Manager
Security (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
9.0.0, 9.0.1, 9.0.2, 9.0.3
 

CVE-2023-51074
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
24.1.0-24.3.0
 

CVE-2024-56128
Oracle Communications Network Analytics Data Director
Security (Apache Kafka)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
24.1.0-24.3.0
 

CVE-2024-28834
Oracle Communications Policy Management
Configuration Management Platform (GnuTLS)
HTTP
No
5.3
Network
High
Low
None
Un-changed
High
None
None
15.0.0.0.0
 

CVE-2024-6763
Oracle Communications Session Report Manager
Security (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
9.0.0, 9.0.1, 9.0.2, 9.0.3
 

CVE-2024-38827
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Spring Security)
HTTP
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
24.2.3
 

CVE-2024-38827
Oracle SD-WAN Edge
Internal Tools (Spring Security)
HTTP
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
9.1.1.9
 

CVE-2024-37891
Oracle Communications Cloud Native Core Network Repository Function
Configuration (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
24.2.3
 

CVE-2024-37891
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Automated Test Suite Framework (urllib3)
TCP
No
4.4
Network
High
High
None
Un-changed
High
None
None
24.2.3
 

CVE-2024-37891
Oracle Communications Cloud Native Core Service Communication Proxy
Install (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
24.2.0, 24.3.0
 

CVE-2024-37891
Oracle Communications Diameter Signaling Router
Automated Test Suite Framework (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
9.0.0.0
 

CVE-2024-47554
Oracle Communications Cloud Native Core Binding Support Function
Install (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.2.0-24.2.2
 

CVE-2024-47554
Oracle Communications Cloud Native Core Console
Configuration (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.2.2
 

CVE-2024-47554
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.2.3
 

CVE-2025-31721
Oracle Communications Cloud Native Core Network Repository Function
Configuration (Jenkins)
HTTP
No
4.3
Network
Low
Low
None
Un-changed
Low
None
None
24.2.3
 

CVE-2024-47554
Oracle Communications Cloud Native Core Policy
Alarms, KPI, and Measurements (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.2.0-24.2.4
 

CVE-2024-47554
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Install (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.2.3
 

CVE-2025-31721
Oracle Communications Cloud Native Core Unified Data Repository
Signaling (Jenkins)
HTTP
No
4.3
Network
Low
Low
None
Un-changed
Low
None
None
22.4.0, 23.1.0-23.4.0
 

CVE-2024-47554
Oracle Communications Diameter Signaling Router
Automated Test Suite (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
9.0.0.0
 

CVE-2024-47554
Oracle Communications Network Analytics Data Director
Automated Test Suite Framework (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
24.1.0, 24.2.0, 24.3.0
 

CVE-2024-47554
Oracle Communications Policy Management
Configuration Management Platform (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
15.0.0.0.0
 

Additional CVEs addressed are:

The patch for CVE-2024-56337 also addresses CVE-2024-50379.
The patch for CVE-2024-43044 also addresses CVE-2024-43045.
The patch for CVE-2025-24928 also addresses CVE-2024-56171 and CVE-2025-27113.
The patch for CVE-2024-28834 also addresses CVE-2024-28835.
The patch for CVE-2025-27516 also addresses CVE-2024-56326.
The patch for CVE-2025-24970 also addresses CVE-2025-25193.
The patch for CVE-2025-27516 also addresses CVE-2024-56201.
The patch for CVE-2025-31721 also addresses CVE-2025-31720.
The patch for CVE-2025-24970 also addresses CVE-2024-47535.
The patch for CVE-2024-38819 also addresses CVE-2024-38820.
The patch for CVE-2024-5535 also addresses CVE-2024-6119.
The patch for CVE-2024-56337 also addresses CVE-2024-54677.
The patch for CVE-2024-38819 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Management Cloud Engine

BEServer (Spring Framework): CVE-2024-38819 and CVE-2024-38816 (VEX Justification: vulnerable_code_not_in_execute_path).

Oracle Communications Cloud Native Core Binding Support Function

Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-56337 and CVE-2024-50379 (VEX Justification: inline_mitigations_already_exist).

Oracle Communications Cloud Native Core DBTier

Configuration (Apache Tomcat): CVE-2025-24813 (VEX Justification: inline_mitigations_already_exist).
Configuration (Netty): CVE-2025-24970 and CVE-2025-25193 (VEX Justification: inline_mitigations_already_exist).
Configuration (Spring Security): CVE-2025-22228 (VEX Justification: vulnerable_code_not_in_execute_path).

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

Configuration (Golang Go): CVE-2024-45337 and CVE-2024-45338 (VEX Justification: vulnerable_code_not_in_execute_path).

Oracle Communications Cloud Native Core Policy

Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-56337 and CVE-2024-50379 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).
Alarms, KPI, and Measurements (Apache Xalan-Java): CVE-2022-34169 (VEX Justification: vulnerable_code_not_in_execute_path).

Oracle Communications Element Manager

Oracle Java SE: CVE-2025-21502 (VEX Justification: vulnerable_code_not_present).

Oracle SD-WAN Aware

Internal Tools (PHP): CVE-2024-11236, CVE-2024-11233 and CVE-2024-11234 (VEX Justification: vulnerable_code_not_present).

Oracle SD-WAN Edge

Internal Tools (urllib3): CVE-2024-37891 (VEX Justification: vulnerable_code_not_in_execute_path).
Internal Tools (NSS): CVE-2023-5388 (VEX Justification: vulnerable_code_not_present).
Internal Tools (OpenSSH): CVE-2025-26465 and CVE-2025-26466 (VEX Justification: vulnerable_code_not_present).
Internal Tools (Apache Portable Runtime): CVE-2023-49582 (VEX Justification: vulnerable_code_not_present).

 
Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Construction and Engineering.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-7254
Primavera Gateway
Admin (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
20.12.0-20.12.17, 21.12.0-21.12.15
 

CVE-2024-57699
Primavera Gateway
Admin (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
20.12.0-20.12.17, 21.12.0-21.12.15
 

CVE-2024-38819
Primavera Unifier
Document Management (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3
 

CVE-2024-57699
Primavera Unifier
Platform (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3
 

CVE-2025-23184
Primavera P6 Enterprise Project Portfolio Management
Integrators (Apache CXF)
HTTP
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
22.12.0-22.12.18, 23.12.0-23.12.13, 24.12.0-24.12.2
 

CVE-2024-49771
Primavera Unifier
Platform (MPXJ)
HTTPS
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3
 

CVE-2024-47554
Primavera Gateway
Admin (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
20.12.0-20.12.17, 21.12.0-21.12.15
 

Additional CVEs addressed are:

The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 
Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security patches for Oracle E-Business Suite.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2025), My Oracle Support Note 2484000.1.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30727
Oracle Scripting
iSurvey Module
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.3-12.2.14
 

CVE-2025-30730
Oracle Application Object Library
Core
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.5-12.2.14
 

CVE-2025-30716
Oracle Common Applications
CRM User Management Framework
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.2.3-12.2.14
 

CVE-2025-30728
Oracle Configurator
Core
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.2.3-12.2.14
 

CVE-2025-30707
Oracle iStore
User Management
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.2.3-12.2.14
 

CVE-2025-30708
Oracle User Management
Search and Register Users
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.2.4-12.2.14
 

CVE-2025-30692
Oracle iSupplier Portal
Attachments
HTTP
No
6.5
Network
Low
Low
None
Un-changed
High
None
None
12.2.7-12.2.14
 

CVE-2025-30717
Oracle Teleservice
Service Diagnostics Scripts
HTTP
No
6.5
Network
Low
Low
None
Un-changed
High
None
None
12.2.3-12.2.14
 

CVE-2025-30732
Oracle Application Object Library
Core
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.3-12.2.14
 

CVE-2025-30720
Oracle Configurator
Orders
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.3-12.2.14
 

CVE-2025-21582
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.3-12.2.14
 

CVE-2025-30711
Oracle Applications Framework
Attachments, File Upload
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
12.2.3-12.2.14
 

CVE-2025-30718
Oracle Applications Framework
Attachments, File Upload
HTTP
No
5.4
Network
Low
Low
None
Un-changed
Low
Low
None
12.2.3-12.2.14
 

CVE-2025-30726
Oracle Application Object Library
Core
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
12.2.3-12.2.14
 

CVE-2024-38828
Oracle Enterprise Command Center Framework
ECC Core (Spring MVC)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
ECC:12-13
 

CVE-2025-30731
Oracle Applications Technology Stack
Configuration
None
No
3.6
Local
High
None
Required
Un-changed
Low
Low
None
12.2.3-12.2.14
 

 
Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Enterprise Manager.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2025 Patch Availability Document for Oracle Products, My Oracle Support Note 3070733.1.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2022-45047
Oracle Enterprise Manager Base Platform
Agent Next Gen (Apache Mina SSHD)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
13.5.0.0.0, 24.1.0.0.0
 

CVE-2024-52046
Oracle Enterprise Manager Base Platform
Agent Next Gen (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
13.5.0.0.0, 24.1.0.0.0
 

CVE-2024-57699
Oracle Application Testing Suite
Load Testing for Web Apps (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
13.3.0.1
 

CVE-2023-1370
Oracle Enterprise Manager Base Platform
Agent Next Gen (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
13.5.0.0.0, 24.1.0.0.0
 

Additional CVEs addressed are:

The patch for CVE-2023-1370 also addresses CVE-2021-31684.
The patch for CVE-2024-52046 also addresses CVE-2023-35887.

 
Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 34 new security patches, plus additional third party patches noted below, for Oracle Financial Services Applications.  22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-56337
Oracle Financial Services Model Management and Governance
Installer (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
8.1.2.7.0
 

CVE-2023-39410
Oracle Banking APIs
IDM Authentication (Apache Avro)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-28168
Oracle Banking APIs
IDM Authentication (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2025-24970
Oracle Banking APIs
IDM Authentication (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-47072
Oracle Banking APIs
IDM Authentication (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-57699
Oracle Banking APIs
IDM Authentication (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-28168
Oracle Banking Digital Experience
User Interface (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2025-24970
Oracle Banking Digital Experience
User Interface (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-57699
Oracle Banking Digital Experience
User Interface (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-38819
Oracle Financial Services Analytical Applications Infrastructure
Platform (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8
 

CVE-2024-57699
Oracle Financial Services Analytical Applications Infrastructure
Platform (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8
 

CVE-2024-28168
Oracle Financial Services Revenue Management and Billing
Installer (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
2.9.0.0.0-7.0.0.0.0
 

CVE-2024-28219
Oracle Banking Corporate Lending Process Management
Base (Pillow)
None
No
6.7
Local
High
Low
Required
Un-changed
High
High
High
14.5.0.0.0-14.7.0.0.0
 

CVE-2024-28219
Oracle Banking Origination
Maintenance (Pillow)
None
No
6.7
Local
High
Low
Required
Un-changed
High
High
High
14.5.0.0.0-14.7.0.0.0
 

CVE-2024-28219
Oracle Banking Origination
Onboarding Batch Processes (Pillow)
None
No
6.7
Local
High
Low
Required
Un-changed
High
High
High
14.5.0.0.0-14.7.0.0.0
 

CVE-2025-21573
Oracle Financial Services Revenue Management and Billing
Chatbot
HTTP
No
6.0
Network
High
High
Required
Un-changed
High
High
Low
5.1.0.0.0, 6.1.0.0.0, 7.0.0.0.0
 

CVE-2025-23184
Oracle Banking Digital Experience
User Interface (Apache CXF)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-35195
Oracle Banking Corporate Lending Process Management
Base (requests)
HTTP
No
5.7
Network
High
High
Required
Un-changed
High
High
None
14.5.0.0.0-14.7.0.0.0
 

CVE-2024-35195
Oracle Banking Origination
Maintenance (requests)
HTTP
No
5.7
Network
High
High
Required
Un-changed
High
High
None
14.5.0.0.0-14.7.0.0.0
 

CVE-2023-49582
Oracle Financial Services Behavior Detection Platform
Platform (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
8.1.2.8, 8.1.2.9, 8.0.8.1
 

CVE-2023-49582
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Platform (Apache Portable Runtime)
None
No
5.5
Local
Low
Low
None
Un-changed
High
None
None
8.0.8
 

CVE-2024-56128
Oracle Banking APIs
IDM Authentication (Apache Kafka)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-56128
Oracle Banking Digital Experience
User Interface (Apache Kafka)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
Low
None
None
22.1.0.0.0, 22.2.0.0.0
 

CVE-2021-28170
Oracle Banking Liquidity Management
Common Core (Jakarta Expression Language)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
14.7.0.7.0
 

CVE-2024-38820
Oracle Banking Liquidity Management
Infrastructure (Spring Framework)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
14.7.0.7.0
 

CVE-2024-38827
Oracle Financial Services Model Management and Governance
Installer (Spring Security)
HTTP
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
8.1.2.7.0
 

CVE-2024-5206
Oracle Financial Services Compliance Studio
Reports (scikit-learn)
None
No
4.7
Local
High
Low
None
Un-changed
High
None
None
8.1.2.9
 

CVE-2024-37891
Oracle Banking Corporate Lending Process Management
Base (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
14.5.0.0.0-14.7.0.0.0
 

CVE-2024-37891
Oracle Banking Origination
Configuration and Maintenance (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
14.5.0.0.0-14.7.0.0.0
 

CVE-2024-37891
Oracle Financial Services Compliance Studio
Reports (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
8.1.2.9
 

CVE-2024-47554
Oracle Banking APIs
IDM Authentication (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-47554
Oracle Banking Digital Experience
User Interface (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0
 

CVE-2024-47554
Oracle Financial Services Analytical Applications Infrastructure
Platform (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8
 

CVE-2024-47554
Oracle Financial Services Model Management and Governance
Installer (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
8.1.2.7.0
 

Additional CVEs addressed are:

The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.
The patch for CVE-2025-24970 also addresses CVE-2025-25193.
The patch for CVE-2024-38820 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Banking APIs

IDM Authentication (RequireJS): CVE-2024-38998 and CVE-2024-38999 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Food and Beverage Applications.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30686
Oracle Hospitality Simphony
EMC
HTTP
No
7.6
Network
Low
Low
None
Un-changed
High
Low
Low
19.1-19.7
 

CVE-2023-26464
Oracle Hospitality Reporting and Analytics
Installation (Apache Log4j)
HTTP
Yes
6.5
Network
Low
None
Required
Un-changed
None
None
High
9.1.34-9.1.36
 

CVE-2023-51441
Oracle Hospitality Reporting and Analytics
Reporting (Apache Axis)
HTTP
Yes
6.5
Network
Low
None
None
Un-changed
Low
Low
None
9.1.34-9.1.36
 

Additional CVEs addressed are:

The patch for CVE-2023-51441 also addresses CVE-2023-40743.

 
Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 31 new security patches for Oracle Fusion Middleware.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID 2806740.2.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-52046
Oracle Access Manager
Proxy (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0
 

CVE-2024-52046
Oracle Business Process Management Suite
Runtime Engine (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-38476
Oracle HTTP Server
Core (Apache HTTP Server)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0
 

CVE-2024-52046
Oracle Managed File Transfer
Runtime Server (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-56337
Oracle Managed File Transfer
Runtime Server (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0
 

CVE-2024-47561
Oracle SOA Suite
Rest Converters (Apache Avro)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
14.1.2.0.0
 

CVE-2024-40896
Oracle HTTP Server
Core (libxml2)
HTTP
Yes
9.1
Network
Low
None
None
Un-changed
None
High
High
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-11053
Oracle HTTP Server
Mod_Security (curl)
TLS
Yes
9.1
Network
Low
None
None
Un-changed
High
High
None
12.2.1.4.0, 14.1.2.0.0
 

CVE-2020-13936
Oracle WebLogic Server
Centralized Thirdparty Jars (Apache Velocity Engine)
Multiple
No
8.8
Network
Low
Low
None
Un-changed
High
High
High
12.2.1.4.0, 14.1.1.0.0
 

CVE-2025-27363
Oracle Outside In Technology
DC-Specific Component (FreeType)
HTTP
Yes
8.1
Network
High
None
None
Un-changed
High
High
High
8.5.7
 

CVE-2024-28168
Oracle Business Process Management Suite
Plugins (Apache FOP)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.2.1.4.0, 14.1.2.0.0
 

CVE-2025-24970
Oracle Coherence
Third Party (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
 

CVE-2024-7254
Oracle Fusion Middleware MapViewer
Install (Google Protobuf-Java)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2023-26464
Oracle JDeveloper
Generic (Apache Log4j)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2020-25649
Oracle Managed File Transfer
Runtime Server (jackson-databind)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
High
None
12.2.1.4.0
 

CVE-2024-29857
Oracle SOA Suite
Adapters (Bouncy Castle Java Library)
HTTPS
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.1.4.0, 14.1.2.0.0
 

CVE-2025-23184
Oracle WebCenter Forms Recognition
Learnset Manager (Apache CXF)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
14.1.1.0.0
 

CVE-2024-47072
Oracle WebCenter Portal
Discussion Forums (XStream)
Multiple
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2024-47561
Oracle Business Process Management Suite
Composer, Third Party (Apache Avro)
HTTP
Yes
7.3
Network
Low
None
None
Un-changed
Low
Low
Low
12.2.1.4.0
 

CVE-2024-11612
Oracle Outside In Technology
Build (7-Zip)
HTTP
Yes
6.5
Network
Low
None
Required
Un-changed
None
None
High
8.5.7
 

CVE-2024-50602
Oracle HTTP Server
Mod_Security (LibExpat)
TLS
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-50602
Oracle Outside In Technology
DC-Specific Component (LibExpat)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
None
High
8.5.7
 

CVE-2024-25710
Oracle Business Process Management Suite
Composer, Common (Apache Commons Compress)
None
No
5.5
Local
Low
None
Required
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2024-25710
Oracle Data Integrator
Security (Apache Commons Compress)
None
No
5.5
Local
Low
None
Required
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2024-25710
Oracle JDeveloper
Generic (Apache Commons Compress)
None
No
5.5
Local
Low
None
Required
Un-changed
None
None
High
12.2.1.4.0
 

CVE-2024-47554
Oracle Business Activity Monitoring
Server, Composer (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
14.1.2.0.0
 

CVE-2024-47554
Oracle Fusion Middleware MapViewer
Core (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.2.1.4.0
 

CVE-2024-9143
Oracle HTTP Server
Mod_Security (OpenSSL)
TLS
No
4.3
Network
Low
Low
None
Un-changed
None
Low
None
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-47554
Oracle Service Bus
Workshop (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.2.1.4.0
 

CVE-2024-47554
Oracle SOA Suite
Rest Converters (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.2.1.4.0, 14.1.2.0.0
 

CVE-2024-47554
Oracle WebCenter Forms Recognition
Learnset Manager (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
14.1.1.0.0
 

Additional CVEs addressed are:

The patch for CVE-2024-25710 also addresses CVE-2024-26308.
The patch for CVE-2024-9143 also addresses CVE-2024-13176.
The patch for CVE-2024-11053 also addresses CVE-2024-9681.
The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.
The patch for CVE-2024-38476 also addresses CVE-2024-38474, CVE-2024-39573, CVE-2024-39884, and CVE-2024-40725.
The patch for CVE-2025-27363 also addresses CVE-2025-23022.
The patch for CVE-2025-24970 also addresses CVE-2025-25193.
The patch for CVE-2020-25649 also addresses CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004, and CVE-2023-35116.

 
Oracle Analytics Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Analytics.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-52046
Oracle Business Intelligence Enterprise Edition
Platform Security (Apache Mina)
Multiple
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
12.2.1.4.0
 

CVE-2023-24998
Oracle BI Publisher
Development Operations (Apache Commons FileUpload)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.6.0.0.0, 12.2.1.4.0
 

CVE-2025-30724
Oracle BI Publisher
XML Services
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
7.6.0.0.0, 12.2.1.4.0
 

CVE-2024-32007
Oracle Business Intelligence Enterprise Edition
Analytics Server, Client Installer (Apache CXF)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.6.0.0.0, 12.2.1.4.0
 

CVE-2023-52428
Oracle Business Intelligence Enterprise Edition
Analytics Server (Nimbus JOSE+JWT)
Multiple
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.6.0.0.0
 

CVE-2024-30172
Oracle Business Intelligence Enterprise Edition
Platform Security (Bouncy Castle Java Library)
Multiple
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
7.6.0.0.0
 

CVE-2024-7264
Oracle Business Intelligence Enterprise Edition
Platform Security (curl)
Multiple
Yes
6.5
Network
Low
None
Required
Un-changed
None
None
High
7.6.0.0.0
 

CVE-2022-36033
Oracle Business Intelligence Enterprise Edition
Platform Security (jsoup)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0
 

CVE-2023-25399
Oracle Business Intelligence Enterprise Edition
Pipeline Test Failures (SciPy)
None
No
5.5
Local
Low
Low
None
Un-changed
None
None
High
7.6.0.0.0
 

CVE-2025-30723
Oracle BI Publisher
XML Services
HTTP
No
5.4
Network
Low
Low
None
Un-changed
None
Low
Low
7.6.0.0.0, 12.2.1.4.0
 

CVE-2024-38820
Oracle BI Publisher
Development Operations (Spring Framework)
Multiple
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
7.6.0.0.0
 

CVE-2024-38827
Oracle Business Intelligence Enterprise Edition
Analytics Server, Pipeline Test Failures, Installation (Spring Framework)
Multiple
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
12.2.1.4.0
 

CVE-2024-37891
Oracle Business Intelligence Enterprise Edition
Machine Learning (urllib3)
HTTP
No
4.4
Network
High
High
None
Un-changed
High
None
None
7.6.0.0.0
 

CVE-2024-9143
Oracle Business Intelligence Enterprise Edition
FNDN (OpenSSL)
TLS
No
4.3
Network
Low
Low
None
Un-changed
None
Low
None
7.6.0.0.0, 12.2.1.4.0
 

CVE-2023-38546
Oracle Business Intelligence Enterprise Edition
Platform Security (libcurl)
HTTP
Yes
3.7
Network
High
None
None
Un-changed
None
Low
None
12.2.1.4.0
 

Additional CVEs addressed are:

The patch for CVE-2022-36033 also addresses CVE-2021-37714.
The patch for CVE-2024-32007 also addresses CVE-2024-29736.
The patch for CVE-2023-52428 also addresses CVE-2023-44487.
The patch for CVE-2024-52046 also addresses CVE-2021-41973.

 
Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-52316
Oracle Hospitality Cruise Shipboard Property Management System
Next-Gen SPMS (Apache Tomcat)
HTTPS
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
23.2.1
 

CVE-2024-47535
Oracle Hospitality Cruise Shipboard Property Management System
Next-Gen SPMS (Netty)
None
No
5.5
Local
Low
Low
None
Un-changed
None
None
High
23.2.1
 

CVE-2024-47554
Oracle Hospitality Cruise Shipboard Property Management System
Next-Gen SPMS (Apache Commons IO)
HTTPS
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
23.2.1
 

Additional CVEs addressed are:

The patch for CVE-2024-52316 also addresses CVE-2024-52317.

 
Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Hyperion.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-11053
Oracle Hyperion Infrastructure Technology
Installation and Configuration (curl)
HTTP
Yes
9.1
Network
Low
None
None
Un-changed
High
High
None
11.2.19.0.000
 

CVE-2025-30737
Oracle Smart View for Office
Core Smart View
HTTP
No
5.7
Network
High
High
Required
Un-changed
High
High
None
24.200
 

CVE-2024-47554
Oracle Hyperion Infrastructure Technology
Installation and Configuration (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
11.2.19.0.000
 

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Hyperion Financial Reporting

Installation (RequireJS): CVE-2024-38998 and CVE-2024-38999 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Insurance Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-38819
Oracle Documaker
Docupresentment IDS Server (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
12.7.1.6, 12.7.2.3, 13.0.0.1
 

Additional CVEs addressed are:

The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 
Oracle Java SE Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Java SE.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are «Low» instead of «High», lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-23083
Oracle GraalVM for JDK
Node (Node.js)
None
No
7.7
Local
Low
None
None
Un-changed
High
High
None
Oracle GraalVM for JDK: 17.0.14, 21.0.6
 

CVE-2024-54534
Oracle Java SE, Oracle GraalVM Enterprise Edition
JavaFX (WebKitGTK)
Multiple
Yes
7.5
Network
High
None
Required
Un-changed
High
High
High
Oracle Java SE: 8u441; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13
See Note 1

CVE-2024-47606
Oracle Java SE, Oracle GraalVM Enterprise Edition
JavaFX (gstreamer)
Multiple
Yes
7.5
Network
High
None
Required
Un-changed
High
High
High
Oracle Java SE: 8u441, 8u441-perf; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13
See Note 1

CVE-2025-21587
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
JSSE
Multiple
Yes
7.4
Network
High
None
None
Un-changed
High
High
None
Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17, 21.3.13
See Note 2

CVE-2025-30698
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
2D
Multiple
Yes
5.6
Network
High
None
None
Un-changed
Low
Low
Low
Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13
See Note 1

CVE-2025-30691
Oracle Java SE
Compiler
Multiple
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6, 24
See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

 
Additional CVEs addressed are:

The patch for CVE-2024-54534 also addresses CVE-2024-27856, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54543, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158, and CVE-2025-24162.
The patch for CVE-2024-47606 also addresses CVE-2024-47544, CVE-2024-47545, CVE-2024-47546, CVE-2024-47596, CVE-2024-47597, CVE-2024-47775, CVE-2024-47776, CVE-2024-47777, and CVE-2024-47778.
The patch for CVE-2025-23083 also addresses CVE-2025-23084 and CVE-2025-23085.

 
Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle JD Edwards.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-23807
JD Edwards EnterpriseOne Tools
Interoperability SEC (Apache Xerces-C++)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
9.2.0.0-9.2.9.2
 

CVE-2024-5535
JD Edwards EnterpriseOne Tools
Enterprise Infrastructure SEC (OpenSSL)
TLS
Yes
9.1
Network
Low
None
None
Un-changed
High
None
High
9.2.0.0-9.2.9.2
 

CVE-2025-30740
JD Edwards EnterpriseOne Tools
Web Runtime SEC
HTTP
No
6.5
Network
Low
Low
None
Un-changed
High
None
None
9.2.0.0-9.2.9.2
 

CVE-2025-30709
JD Edwards EnterpriseOne Tools
Web Runtime SEC
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.2.0.0-9.2.9.2
 

CVE-2024-45613
JD Edwards EnterpriseOne Tools
Web Runtime SEC (CKEditor)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.2.0.0-9.2.9.2
 

CVE-2024-25710
JD Edwards EnterpriseOne Tools
Web Runtime SEC (Apache Commons Compress)
None
No
5.5
Local
Low
None
Required
Un-changed
None
None
High
9.2.0.0-9.2.9.2
 

CVE-2025-21586
JD Edwards EnterpriseOne Tools
Web Runtime SEC
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.2.0.0-9.2.9.2
 

CVE-2024-47554
JD Edwards EnterpriseOne Tools
Web Runtime SEC (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
9.2.0.0-9.2.9.2
 

Additional CVEs addressed are:

The patch for CVE-2024-25710 also addresses CVE-2024-26308.
The patch for CVE-2024-5535 also addresses CVE-2024-6119.

 
Oracle MySQL Risk Matrix

This Critical Patch Update contains 43 new security patches, plus additional third party patches noted below, for Oracle MySQL.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-40896
MySQL Workbench
MySQL Workbench (libxml2)
MySQL Workbench
Yes
9.1
Network
Low
None
None
Un-changed
None
High
High
8.0.0-8.0.41
 

CVE-2025-30706
MySQL Connectors
Connector/J
MySQL Protocol
No
7.5
Network
High
Low
None
Un-changed
High
High
High
9.0.0-9.2.0
 

CVE-2024-7254
MySQL Connectors
Connector/J (Google Protobuf-Java)
MySQL Protocol
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
9.0.0-9.1.0
 

CVE-2025-21574
MySQL Cluster
Cluster: General
Multiple
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21575
MySQL Cluster
Cluster: General
Multiple
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21577
MySQL Server
InnoDB
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30682
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30687
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30688
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21574
MySQL Server
Server: Parser
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21575
MySQL Server
Server: Parser
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30722
MySQL Client
Client: mysqldump
MySQL Protocol
No
5.9
Network
High
Low
None
Un-changed
High
Low
None
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30693
MySQL Cluster
Cluster: General
Multiple
No
5.5
Network
Low
High
None
Un-changed
None
Low
High
7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30693
MySQL Server
InnoDB
MySQL Protocol
No
5.5
Network
Low
High
None
Un-changed
None
Low
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30695
MySQL Server
InnoDB
MySQL Protocol
No
5.5
Network
Low
High
None
Un-changed
None
Low
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30722
MySQL Cluster
Cluster: General
Multiple
No
5.3
Network
High
Low
None
Un-changed
High
None
None
7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30710
MySQL Cluster
Cluster: NDBCluster Plugin
Multiple
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30715
MySQL Server
Server: Components Services
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21583
MySQL Server
Server: DDL
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.4.0, 9.0.0
 

CVE-2025-21584
MySQL Server
Server: DDL
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21580
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21588
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21581
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21585
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30689
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-21579
MySQL Server
Server: Options
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30696
MySQL Server
Server: PS
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30705
MySQL Server
Server: PS
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30683
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30684
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30685
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30699
MySQL Server
Server: Stored Procedure
MySQL Protocol
No
4.9
Network
Low
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30714
MySQL Connectors
Connector/Python
MySQL Protocol
No
4.8
Network
High
Low
Required
Un-changed
High
None
None
9.0.0-9.2.0
 

CVE-2025-30704
MySQL Server
Server: Components Services
MySQL Protocol
No
4.4
Network
High
High
None
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2024-13176
MySQL Connectors
Connector/C++ (OpenSSL)
None
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
9.0.0-9.2.0
 

CVE-2024-13176
MySQL Connectors
Connector/ODBC (OpenSSL)
None
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
9.0.0-9.2.0
 

CVE-2024-13176
MySQL Enterprise Backup
Enterprise Backup (OpenSSL)
None
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2024-13176
MySQL Server
Server: Packaging (OpenSSL)
MySQL Protocol
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2024-13176
MySQL Workbench
MySQL Workbench (OpenSSL)
None
No
4.1
Physical
Low
Low
None
Un-changed
Low
Low
Low
8.0.0-8.0.41
 

CVE-2025-30721
MySQL Server
Server: UDF
None
No
4.0
Local
High
High
Required
Un-changed
None
None
High
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30681
MySQL Cluster
Cluster: General
Multiple
No
2.7
Network
Low
High
None
Un-changed
None
None
Low
7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30703
MySQL Server
InnoDB
MySQL Protocol
No
2.7
Network
Low
High
None
Un-changed
None
Low
None
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

CVE-2025-30681
MySQL Server
Server: Replication
MySQL Protocol
No
2.7
Network
Low
High
None
Un-changed
None
None
Low
8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0
 

Additional CVEs addressed are:

The patch for CVE-2024-13176 also addresses CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

MySQL Shell

Shell General / Core Client (OpenSSL): CVE-2024-6119 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle PeopleSoft.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30735
PeopleSoft Enterprise CC Common Application Objects
Page and Field Configuration
HTTP
No
8.1
Network
Low
Low
None
Un-changed
High
High
None
9.2
 

CVE-2023-52428
PeopleSoft Enterprise PeopleTools
Security (Nimbus JOSE+JWT)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
8.60, 8.61, 8.62
 

CVE-2025-30713
PeopleSoft Enterprise HCM Talent Acquisition Manager
Job Opening
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.2
 

CVE-2025-30697
PeopleSoft Enterprise PeopleTools
Panel Processor
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.60, 8.61, 8.62
 

 
Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Policy Automation.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-57699
Oracle Policy Automation
Determinations Engine (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
12.2.0-12.2.36
 

CVE-2024-47554
Oracle Policy Automation
Determinations Engine (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.2.0-12.2.36
 

CVE-2024-47554
Oracle Policy Modeling
Generic (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
12.2.0-12.2.36
 

 
Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 11 new security patches, plus additional third party patches noted below, for Oracle Retail Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2022-34381
Oracle Retail Store Inventory Management
Core (BSAFE Crypto-J)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
16.0.3.16
 

CVE-2024-22243
Oracle Retail Xstore Point of Service
Point of Sale (Spring Framework)
HTTP
Yes
8.1
Network
Low
None
Required
Un-changed
High
High
None
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2023-24998
Oracle Retail Store Inventory Management
Core (Apache Commons FileUpload)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
16.0.3.16
 

CVE-2023-46589
Oracle Retail Xstore Point of Service
Xenvironment (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
High
None
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2023-48795
Oracle Retail Xstore Point of Service
Xenvironment (Apache Mina SSHD)
HTTP
Yes
5.9
Network
High
None
None
Un-changed
None
High
None
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2023-40167
Oracle Retail Xstore Point of Service
Point of Sale (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
Low
None
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2023-51074
Oracle Retail Xstore Point of Service
Xenvironment (JsonPath)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2024-29025
Oracle Retail Xstore Point of Service
Xenvironment (Netty)
HTTP
Yes
5.3
Network
Low
None
None
Un-changed
None
None
Low
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

CVE-2024-47554
Oracle Retail Order Broker
Order Broker Foundation – OBF (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
19.1
 

CVE-2024-47554
Oracle Retail Store Inventory Management
Core (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
16.0.3.16
 

CVE-2024-47554
Oracle Retail Xstore Point of Service
Xenvironment (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1
 

Additional CVEs addressed are:

The patch for CVE-2023-48795 also addresses CVE-2023-35887.
The patch for CVE-2024-22243 also addresses CVE-2016-1000027, CVE-2024-38819, and CVE-2024-38820.
The patch for CVE-2023-40167 also addresses CVE-2023-36479.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Retail Xstore Point of Service

Xenvironment (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 (VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary).

 
Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-47197
Siebel CRM Deployment
Application Interface (Apache Maven Shared Utils)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
High
None
None
17.0-25.2
 

CVE-2024-9902
Siebel CRM Cloud Applications
Siebel Cloud Manager (Ansible)
None
No
6.3
Local
High
Low
Required
Un-changed
High
High
Low
17.0-24.12
 

CVE-2024-42367
Siebel CRM Cloud Applications
Siebel Cloud Manager (AIOHTTP)
HTTP
Yes
4.8
Network
High
None
None
Un-changed
Low
Low
None
17.0-24.11
 

CVE-2024-38357
Siebel CRM End User
EAI, UI (TinyMCE)
None
No
3.1
Local
Low
High
Required
Un-changed
Low
Low
None
24.7-25.2
 

Additional CVEs addressed are:

The patch for CVE-2024-9902 also addresses CVE-2024-8775.

 
Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Supply Chain.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-56337
Oracle Agile Engineering Data Management
Document Management (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
6.2.1
 

CVE-2023-37536
Oracle Demantra Demand Management
Forecast Engine (Apache Xerces-C++)
HTTP
No
8.8
Network
Low
Low
None
Un-changed
High
High
High
12.2.6-12.2.14
 

CVE-2024-47554
Oracle Agile Engineering Data Management
Document Management (Apache Commons IO)
Multiple
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
6.2.1
 

Additional CVEs addressed are:

The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Demantra Demand Management

Security (RequireJS): CVE-2024-38998 and CVE-2024-38999 (VEX Justification: vulnerable_code_not_in_execute_path).

 
Oracle Support Tools Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Support Tools.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-52046
OSS Support Tools
Diagnostic Assistant (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
2.11.0-2.12.46
 

CVE-2024-52046
OSS Support Tools
Services Tools Bundle (Apache Mina)
HTTP
Yes
9.8
Network
Low
None
None
Un-changed
High
High
High
8.00-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1
 

CVE-2024-47554
OSS Support Tools
Diagnostic Assistant (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
2.11.0-2.12.46
 

CVE-2024-47554
OSS Support Tools
Services Tools Bundle (Apache Commons IO)
HTTP
Yes
4.3
Network
Low
None
Required
Un-changed
None
None
Low
8.00-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1
 

 
Oracle Systems Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Systems.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30690
Oracle Solaris
Filesystem
None
No
7.2
Local
High
High
Required
Changed
High
High
High
11
 

CVE-2025-30700
Oracle Solaris
Pluggable authentication module
HTTP
No
3.5
Network
Low
Low
Required
Un-changed
Low
None
None
11
 

 
Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Utilities Applications.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2024-47072
Oracle Utilities Application Framework
General (XStream)
HTTP
Yes
7.5
Network
Low
None
None
Un-changed
None
None
High
4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0
 

CVE-2024-47554
Oracle Utilities Application Framework
General (Apache Commons IO)
HTTP
Yes
3.7
Network
High
None
None
Un-changed
None
None
Low
4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3
 

 
Oracle Virtualization Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID
Product
Component
Protocol
RemoteExploitwithoutAuth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes

BaseScore
AttackVector
AttackComplex
PrivsReq’d
UserInteract
Scope
Confid-entiality
Inte-grity
Avail-ability

CVE-2025-30712
Oracle VM VirtualBox
Core
None
No
8.1
Local
Low
High
None
Changed
High
High
Low
7.1.6
 

CVE-2025-30725
Oracle VM VirtualBox
Core
None
No
6.7
Local
High
High
None
Changed
Low
Low
High
7.1.6
 

CVE-2025-30719
Oracle VM VirtualBox
Core
None
No
6.1
Local
Low
Low
None
Un-changed
Low
None
High
7.1.6
 

Enlace de la fuente, haz clic para tener más información