Web Server Vulnerability in Oracle Analytics BI Publisher
CVE-2024-20987

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: BI Publisher (formerly XML Publisher)
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability exists in the Oracle BI Publisher component of Oracle Analytics, which may allow a low-privilege attacker with network access via HTTP to compromise the system. Successful exploitation requires user interaction from someone other than the attacker, and while it primarily affects Oracle BI Publisher, the consequences can extend to additional products. Attackers could gain unauthorized access to update, insert, or delete data within Oracle BI Publisher and read certain accessible data unauthorizedly. This vulnerability demonstrates the need for enhanced security measures and awareness of potential attacks against web server components.

Affected Version(s)

BI Publisher (formerly XML Publisher) 12.2.1.4.0

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023