Vulnerability in BI Publisher of Oracle Fusion Middleware
CVE-2019-2616

7.2HIGH

Key Information:

Vendor: Oracle
Status: Bi Publisher (formerly Xml Publisher)
Vendor: CVE Published:; 23 April 2019

Badges

👾 Exploit Exists🟣 EPSS 94%🦅 CISA Reported

What is CVE-2019-2616?

An easily exploitable vulnerability exists in the BI Publisher component of Oracle Fusion Middleware, allowing unauthenticated attackers with network access via HTTP to compromise the system. This flaw impacts versions 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0. Successful exploits can lead to unauthorized access, enabling an attacker to update, insert, or delete accessible data within BI Publisher. Additionally, there is the potential for unauthorized reading of certain data, posing a significant risk to integrity and confidentiality.

CISA has reported CVE-2019-2616

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2019-2616 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

BI Publisher (formerly XML Publisher) 11.1.1.9.0

BI Publisher (formerly XML Publisher) 12.2.1.3.0

BI Publisher (formerly XML Publisher) 12.2.1.4.0

References

http://www.oracle.com/technetwork/security-advisory/cpuap...

x_refsource_MISC

EPSS Score

94% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Mar 25, 2022
🦅
CISA Reported
Mar 25, 2022
Vulnerability published
Apr 23, 2019
Vulnerability Reserved
Dec 14, 2018