PatchSiren cyber security CVE debrief
CVE-2023-4835 CF Software CVE debrief
CVE-2023-4835 is a critical SQL injection vulnerability (CWE-89) reported in Oil Management Software / Petroleum Management Software Application Project versions before 20230912. NVD assigns a CVSS 3.1 score of 9.8 with network attack conditions and high impact to confidentiality, integrity, and availability. The public records point to a straightforward, high-severity input handling flaw that can be reached remotely without user interaction.
- Vendor
- CF Software
- Product
- Oil Management Software
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-09-15
- Original CVE updated
- 2026-05-21
- Advisory published
- 2023-09-15
- Advisory updated
- 2026-05-21
Who should care
Security teams, system administrators, and operators running CF Software Oil Management Software or the Petroleum Management Software Application Project build affected before 20230912 should treat this as urgent. It is especially important for internet-facing or broadly reachable deployments, and for teams responsible for database security, patch management, and incident response.
Technical summary
The vulnerability is categorized as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). NVD lists the vulnerable CPE as petroleum_management_software_application_project:petroleum_management_software_application with versions prior to 20230912. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a remotely reachable issue with no privileges or user interaction required and potentially severe consequences across confidentiality, integrity, and availability.
Defensive priority
Critical. Patch or upgrade immediately, because the published severity is 9.8 and the affected range is limited to releases before 20230912. If patching is delayed, reduce exposure and assume the application may be abusable through unsafely handled SQL inputs until remediation is complete.
Recommended defensive actions
- Inventory all installations of the affected Oil Management Software / Petroleum Management Software Application and verify whether any instance is earlier than 20230912.
- Apply the vendor-fixed version 20230912 or later as soon as possible.
- Restrict network access to the application and its database back end until remediation is complete.
- Review authentication, database, and application logs for unexpected query patterns or other suspicious activity around the affected service.
- If compromise is suspected, rotate credentials and validate database integrity and access controls.
- Follow the linked NVD and USOM references for any vendor-specific remediation guidance or updates.
Evidence notes
This debrief is based on the supplied NVD record and the linked USOM advisories. The NVD entry identifies the weakness as CWE-89, the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the vulnerable range as versions before 20230912. The source corpus also includes USOM advisory references associated with the CVE. Vendor/product naming in the supplied data is not fully consistent, so wording stays close to the source-backed product names.
Official resources
-
CVE-2023-4835 CVE record
CVE.org
-
CVE-2023-4835 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the CVE record and NVD on 2023-09-15. The supplied source corpus links to USOM advisories for additional context and mitigation guidance.