Vulnerabilities in Oracle BI Publisher 6.4/7.0 (OAS) affecting January 2024 CP
Reporter | Title | Published | Views | Family All 12 |
---|---|---|---|---|
![]() | CVE-2024-20980 | 17 Feb 202402:15 | – | nvd |
![]() | CVE-2024-20979 | 16 Jan 202422:15 | – | nvd |
![]() | CVE-2024-20980 | 17 Feb 202401:50 | – | vulnrichment |
![]() | CVE-2024-20979 | 16 Jan 202421:41 | – | vulnrichment |
![]() | CVE-2024-20979 | 16 Jan 202421:41 | – | cvelist |
![]() | CVE-2024-20980 | 17 Feb 202401:50 | – | cvelist |
![]() | Design/Logic Flaw | 16 Jan 202422:15 | – | prion |
![]() | Design/Logic Flaw | 17 Feb 202402:15 | – | prion |
![]() | CVE-2024-20979 | 16 Jan 202422:15 | – | cve |
![]() | CVE-2024-20980 | 17 Feb 202402:15 | – | cve |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(189738);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/11/28");
script_cve_id("CVE-2024-20979", "CVE-2024-20980");
script_name(english:"Oracle Business Intelligence Publisher 6.4 / 7.0 (OAS) (January 2024 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The versions of Oracle Business Intelligence Publisher (OAS) installed on the remote host are affected by
a vulnerability as referenced in the January 2024 CPU advisory.
- Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported
versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful
attacks require human interaction from a person other than the attacker and while the vulnerability is in
Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful
attacks of this vulnerability can result in unauthorized update, insert or delete access to some of
Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI
Publisher accessible data. (CVE-2024-20979)
- Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported
versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks
require human interaction from a person other than the attacker and while the vulnerability is in Oracle
BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of
this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI
Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher
accessible data. (CVE-2024-20980)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2024.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2024 Oracle Critical Patch Update advisory.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20979");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/17");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/29");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence_publisher");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_bi_publisher_installed.nbin");
script_require_keys("installed_sw/Oracle Business Intelligence Publisher");
exit(0);
}
include('vcf_extras.inc');
var app_info = vcf::get_app_info(app:'Oracle Business Intelligence Publisher');
var constraints = [
# Oracle Analytics Server 6.4 / 7.0
{'min_version': '12.2.6.4.0', 'fixed_version': '12.2.6.4.240110', 'patch': '36174509', 'bundle': '36194084'},
{'min_version': '12.2.7.0.0', 'fixed_version': '12.2.7.0.240110', 'patch': '36174464', 'bundle': '36194027'},
];
vcf::oracle_bi_publisher::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo