CVE-2019-2904

Name: CVE-2019-2904
Creator: NVD / NIST
Published: 2019-10-16T18:15:27.56+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 14.26%

Last modified Jun 17, 2026

CVE-2019-2904 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. EPSS estimates a 14.26% chance of exploitation in the next 30 days.

Description

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

14.26%

96.1th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Oracle	Application Testing Suite	12.5.0.3
Oracle	Application Testing Suite	13.1.0.1
Oracle	Application Testing Suite	13.2.0.1
Oracle	Application Testing Suite	13.3.0.1
Oracle	Banking Enterprise Collections	2.7.0
Oracle	Banking Enterprise Collections	2.8.0
Oracle	Banking Enterprise Originations	2.7.0
Oracle	Banking Enterprise Originations	2.8.0
Oracle	Banking Enterprise Product Manufacturing	2.7.0
Oracle	Banking Enterprise Product Manufacturing	2.8.0
Oracle	Banking Platform	2.4.0
Oracle	Banking Platform	2.4.1
Oracle	Banking Platform	2.5.0
Oracle	Banking Platform	2.6.0
Oracle	Banking Platform	2.6.1
Oracle	Banking Platform	2.6.2
Oracle	Banking Platform	2.7.0
Oracle	Banking Platform	2.7.1
Oracle	Banking Platform	2.9.0
Oracle	Business Process Management Suite	12.2.1.3.0
Oracle	Business Process Management Suite	12.2.1.4.0
Oracle	Clinical	5.2
Oracle	Communications Diameter Signaling Router	>= 8.0.0.0, <= 8.4.0.5
Oracle	Communications Network Integrity	>= 7.3.2, <= 7.3.6
Oracle	Communications Service Broker	6.0
Oracle	Communications Service Broker	6.1
Oracle	Communications Services Gatekeeper	6.0
Oracle	Communications Services Gatekeeper	6.1
Oracle	Enterprise Repository	11.1.1.7.0
Oracle	Financial Services Lending And Leasing	>= 14.1.0, <= 14.2.0
Oracle	Financial Services Lending And Leasing	12.5.0
Oracle	Financial Services Revenue Management And Billing Analytics	2.6
Oracle	Financial Services Revenue Management And Billing Analytics	2.7
Oracle	Financial Services Revenue Management And Billing Analytics	2.8
Oracle	Flexcube Private Banking	12.0.0
Oracle	Flexcube Private Banking	12.1.0
Oracle	Health Sciences Data Management Workbench	2.4
Oracle	Health Sciences Data Management Workbench	2.5
Oracle	Hyperion Planning	11.1.2.4
Oracle	Rapid Planning	12.1.3
Oracle	Retail Assortment Planning	15.0.3.0
Oracle	Retail Assortment Planning	16.0.3.0
Oracle	Retail Clearance Optimization Engine	13.4
Oracle	Retail Clearance Optimization Engine	14.0.3
Oracle	Retail Clearance Optimization Engine	14.0.5
Oracle	Retail Markdown Optimization	13.4
Oracle	Retail Sales Audit	15.0.3
Oracle	Retail Sales Audit	16.0.2

References

http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2021.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-19-1024/Third Party Advisory, VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2021.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-19-1024/Third Party Advisory, VDB Entry

Timeline

Published: Oct 16, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-2904?

How severe is CVE-2019-2904?

CVE-2019-2904 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 14.26% probability of exploitation in the next 30 days.

How do I fix CVE-2019-2904?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-2904?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST