Server Vulnerability in Oracle Analytics' BI Publisher Product
CVE-2024-20979

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: BI Publisher (formerly XML Publisher)
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability has been identified in Oracle BI Publisher, which is part of Oracle Analytics, that allows low privileged attackers with network access via HTTP to exploit the system. This vulnerability is concerning as it allows unauthorized actions, including updates and reads of sensitive data. Attackers may require human interaction to launch a successful exploit, expanding the potential impact beyond just Oracle BI Publisher itself. This vulnerability might lead to significant implications for any data handled by the accessible version of Oracle BI Publisher.

Affected Version(s)

BI Publisher (formerly XML Publisher) 6.4.0.0.0

BI Publisher (formerly XML Publisher) 7.0.0.0.0

BI Publisher (formerly XML Publisher) 12.2.1.4.0

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023