Vulnerability in Oracle BI Publisher Affects Oracle Fusion Middleware
CVE-2022-21590

7.6HIGH

Key Information:

Vendor: Oracle
Status: Bi Publisher (formerly Xml Publisher)
Vendor: CVE Published:; 18 October 2022

Summary

This vulnerability in Oracle BI Publisher, part of Oracle Fusion Middleware’s Core Formatting API, permits low-privileged attackers with network access to exploit it through HTTP. A successful exploit can lead to unauthorized access to sensitive data, allowing attackers to view, update, insert, or delete information within Oracle BI Publisher. Additionally, the vulnerability poses the risk of a partial denial of service, compromising the availability of the service. It is crucial for users running the affected versions to apply security updates promptly to safeguard their data integrity and confidentiality.

Affected Version(s)

BI Publisher (formerly XML Publisher) 5.9.0.0

BI Publisher (formerly XML Publisher) 6.4.0.0.0

BI Publisher (formerly XML Publisher) 12.2.1.3.0

References

https://www.oracle.com/security-alerts/cpuoct2022.html

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 18, 2022
Vulnerability Reserved
Nov 15, 2021