{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21977", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.716Z", "datePublished": "2026-01-20T21:56:37.605Z", "dateUpdated": "2026-01-21T16:42:39.309Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:37.605Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Zero Data Loss Recovery Appliance Software", "versions": [{"version": "23.1.0", "status": "affected", "lessThanOrEqual": "23.1.202509", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:zero_data_loss_recovery_appliance_software:*:*:*:*:*:*:*:*", "versionStartIncluding": "23.1.0", "versionEndIncluding": "23.1.202509"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T16:38:18.932996Z", "id": "CVE-2026-21977", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:42:39.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21977", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T16:38:18.932996Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:38:14.239Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Zero Data Loss Recovery Appliance Software", "versions": [{"status": "affected", "version": "23.1.0", "versionType": "custom", "lessThanOrEqual": "23.1.202509"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:zero_data_loss_recovery_appliance_software:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "23.1.202509", "versionStartIncluding": "23.1.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:37.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21977", "state": "PUBLISHED", "dateUpdated": "2026-01-21T16:42:39.309Z", "dateReserved": "2026-01-05T18:07:34.716Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:37.605Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el producto de software Oracle Zero Data Loss Recovery Appliance de Oracle Zero Data Loss Recovery Appliance (componente: Seguridad). Versiones compatibles que est\u00e1n afectadas son 23.1.0-23.1.202509. Vulnerabilidad dif\u00edcil de explotar permite a un atacante no autenticado con acceso de red a trav\u00e9s de Oracle Net comprometer el software Oracle Zero Data Loss Recovery Appliance. Ataques exitosos requieren interacci\u00f3n humana de una persona que no sea el atacante. Ataques exitosos de esta vulnerabilidad pueden resultar en acceso de lectura no autorizado a un subconjunto de datos accesibles del software Oracle Zero Data Loss Recovery Appliance. Puntuaci\u00f3n base CVSS 3.1 de 3.1 (Impactos en la confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}], "id": "CVE-2026-21977", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-01-20T22:16:00.987", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:35:24.295923+00:00", "value": {"mitigation_remediation": ["Apply the latest Oracle patch for Zero Data Loss Recovery Appliance Software", "Upgrade to the most recent release version (23.1.202511 or later) if a patch is not available", "Restrict network access to the appliance to trusted networks only, and limit Oracle Net connections to necessary parties", "Enable detailed logging on the appliance and monitor for suspicious access attempts or unusual read patterns"], "summary": {"action": "Patch", "impact": "Unauthorized data disclosure"}, "threat_synthesis": {"affected_systems": "Oracle Corporation's Zero Data Loss Recovery Appliance Software, specifically versions 23.1.0 through 23.1.202509, is vulnerable. The issue resides in the Security component of the appliance.", "description_and_impact": "The vulnerability permits an unauthenticated attacker with network access to Oracle Net to read restricted data from the Oracle Zero Data Loss Recovery Appliance without changing the system state. The lack of authorization enforcement allows the attacker to access a subset of data, potentially exposing sensitive information. The flaw is classified as affecting confidentiality only, with no impact on integrity or availability.", "risk_and_exploitability": "The CVSS v3.1 base score of 3.1 reflects a low severity confidentiality impact, while the EPSS score of less than 1\u202f% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attacks would require a human to interact with the appliance after exploitation; network traffic over Oracle Net can trigger the read operation."}}}}, "created": "2026-04-18T15:45:04.271184+00:00", "title": "Unauthenticated Network Access Leading to Unauthorized Data Read in Oracle Zero Data Loss Recovery Appliance", "updated": "2026-04-18T15:45:04.271194+00:00", "vendors": [], "weaknesses": ["CWE-284", "CWE-200"]}