Lucene search

K

Oracle Business Intelligence Publisher 6.4 / 7.0 (OAS) (January 2024 CPU)

Vulnerabilities in Oracle BI Publisher 6.4/7.0 (OAS) affecting January 2024 CP

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2024-20980
17 Feb 202402:15
nvd
NVD
CVE-2024-20979
16 Jan 202422:15
nvd
Vulnrichment
CVE-2024-20980
17 Feb 202401:50
vulnrichment
Vulnrichment
CVE-2024-20979
16 Jan 202421:41
vulnrichment
Cvelist
CVE-2024-20979
16 Jan 202421:41
cvelist
Cvelist
CVE-2024-20980
17 Feb 202401:50
cvelist
Prion
Design/Logic Flaw
16 Jan 202422:15
prion
Prion
Design/Logic Flaw
17 Feb 202402:15
prion
CVE
CVE-2024-20979
16 Jan 202422:15
cve
CVE
CVE-2024-20980
17 Feb 202402:15
cve
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(189738);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/11/28");

  script_cve_id("CVE-2024-20979", "CVE-2024-20980");

  script_name(english:"Oracle Business Intelligence Publisher 6.4 / 7.0 (OAS) (January 2024 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle Business Intelligence Publisher (OAS) installed on the remote host are affected by 
a vulnerability as referenced in the January 2024 CPU advisory.

  - Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported 
    versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability 
    allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful 
    attacks require human interaction from a person other than the attacker and while the vulnerability is in 
    Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful 
    attacks of this vulnerability can result in unauthorized update, insert or delete access to some of 
    Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI 
    Publisher accessible data. (CVE-2024-20979)

  - Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported 
    versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows low 
    privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks 
    require human interaction from a person other than the attacker and while the vulnerability is in Oracle 
    BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of 
    this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI 
    Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher 
    accessible data. (CVE-2024-20980)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2024.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2024 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20979");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence_publisher");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_bi_publisher_installed.nbin");
  script_require_keys("installed_sw/Oracle Business Intelligence Publisher");

  exit(0);
}

include('vcf_extras.inc');

var app_info = vcf::get_app_info(app:'Oracle Business Intelligence Publisher');

var constraints = [
  # Oracle Analytics Server 6.4 / 7.0
  {'min_version': '12.2.6.4.0', 'fixed_version': '12.2.6.4.240110', 'patch': '36174509', 'bundle': '36194084'},
  {'min_version': '12.2.7.0.0', 'fixed_version': '12.2.7.0.240110', 'patch': '36174464', 'bundle': '36194027'},
];

vcf::oracle_bi_publisher::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
29 Jan 2024 00:00Current
4.9Medium risk
Vulners AI Score4.9
CVSS35.4
EPSS0.0004
SSVC
47
.json
Report