Oracle BI Publisher Vulnerability Allows Low-Privileged Attacks on Data
CVE-2024-20980

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: BI Publisher (formerly XML Publisher)
Vendor: CVE Published:; 17 February 2024

Summary

A vulnerability exists within the Oracle BI Publisher component of Oracle Analytics, specifically affecting versions 6.4.0.0.0 and 7.0.0.0.0. This vulnerability can be exploited by a low-privileged attacker who has network access through HTTP, requiring human interaction for successful exploitation. Although directly related to Oracle BI Publisher, the implications of this vulnerability extend to other products, highlighting a significant scope change. Successful exploitation can lead to unauthorized operations, impacting both the confidentiality and integrity of accessible data, allowing malicious actors to perform updates, inserts, or deletions, as well as gain unauthorized read access to data within Oracle BI Publisher.

Affected Version(s)

BI Publisher (formerly XML Publisher) 6.4.0.0.0

BI Publisher (formerly XML Publisher) 7.0.0.0.0

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Dec 7, 2023