Release Date: 4/27/2010
CVE Identifier: Pending

The following information exposure vulnerability has been reported to Oracle. Oracle reports that the following vulnerability has been addressed by patches and upgrades via January 2010 CPU via CVE-2010-0075 and via April 2010 CPU via CVE-2010-0861.

Employee information exposure and reporting-relationships public exposure from Oracle's iRecruitment software

Oracle's iRecruitment software is a HR system used by many government agencies and large private corporations. The system can be used to manage hiring information as well as current employee records. Upon using one such company's hiring system as an external applicant, I followed a hyperlink and was able to recover the entire company's corporate hierarchy, which includes employees names, contact information (primarily business-centric, but some personal information such as cell phones). More importantly, the vulnerability shows departmental breakdowns and reporting relationships in the hierarchy. Depending upon the amount of information stored and where by a particular organization, this could result in violation of employee privacy protection laws such as those from the state of Massachusetts.