Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_OBIEE_CPU_APR_2024_OAS_7.NASL
HistoryApr 19, 2024 - 12:00 a.m.

Oracle Business Intelligence Enterprise Edition (OAS 7.0) (April 2024 CPU)

2024-04-1900:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
4
oracle business intelligence
oas 7.0
april 2024 cpu
vulnerabilities
analytics server
analytics web answers
data visualization
cve-2023-43804
cve-2024-21064
cve-2024-21099
http
network access
unauthorized access
data compromise
nessus scanner

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.8%

JSON

The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.0.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory, including the following:

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Server (urllib3)). The supported version that is affected is 7.0.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2023-43804)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Web Answers). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21064)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Data Visualization). The supported version that is affected is 7.0.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21099)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193558);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");

  script_cve_id(
    "CVE-2021-28861",
    "CVE-2023-2976",
    "CVE-2023-3817",
    "CVE-2023-35116",
    "CVE-2023-43804",
    "CVE-2024-21001",
    "CVE-2024-21064",
    "CVE-2024-21099"
  );

  script_name(english:"Oracle Business Intelligence Enterprise Edition (OAS 7.0) (April 2024 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.0.0.0 installed on the remote
host is affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory, including the
following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Server (urllib3)). The supported version that is affected is 7.0.0.0.0. Easily 
    exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise 
    Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in 
    unauthorized creation, deletion or modification access to critical data or all Oracle Business 
    Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or 
    complete access to all Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2023-43804)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Web Answers). Supported versions that are affected are 7.0.0.0.0 and 
    12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP 
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human 
    interaction from a person other than the attacker and while the vulnerability is in Oracle Business 
    Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). 
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to 
    some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read 
    access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21064)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Data Visualization). The supported version that is affected is 7.0.0.0.0. Easily exploitable 
    vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business 
    Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read 
    access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21099)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2024.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2024 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-43804");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_analytics_server_installed.nbin");
  script_require_keys("installed_sw/Oracle Analytics Server");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Analytics Server');

# based on Oracle CPU data
var constraints = [
  {'min_version': '7.0.0.0.0', 'fixed_version': '7.0.0.0.240414', 'fixed_display': '7.0.0.0.240414 patch: 36511065'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
oraclebusiness_intelligencecpe:/a:oracle:business_intelligence

Related

nessus 47
cvelist 7
vulnrichment 2
nvd 7
cve 7
ibm 29
prion 3
redhat 3
debiancve 4
ubuntucve 3
fedora 13
suse 2
openvas 35
osv 11
redhatcve 4
atlassian 3
veracode 2
ubuntu 1
cbl_mariner 5
rocky 1
almalinux 2
f5 1
redos 2
cgr 1
githubexploit 1
oraclelinux 1
wolfi 1
alpinelinux 1
nessus
nessus
Oracle Business Intelligence Enterprise Edition (April 2024 CPU)
2024-04-19 00:00:00
RHEL 6 : jackson-databind (Unpatched Vulnerability)
2024-06-03 00:00:00
Amazon Linux 2023 : jackson-core (ALAS2023-2023-248)
2023-07-20 00:00:00
cvelist
cvelist
CVE-2024-21001
2024-04-16 21:25:58
CVE-2024-21099
2024-04-16 21:26:31
CVE-2024-21064
2024-04-16 21:26:19
vulnrichment
vulnrichment
CVE-2024-21001
2024-04-16 21:25:58
CVE-2024-21099
2024-04-16 21:26:31
nvd
nvd
CVE-2024-21064
2024-04-16 22:15:24
CVE-2024-21099
2024-04-16 22:15:30
CVE-2024-21001
2024-04-16 22:15:13
cve
cve
CVE-2024-21064
2024-04-16 22:15:24
CVE-2024-21099
2024-04-16 22:15:30
CVE-2024-21001
2024-04-16 22:15:13
ibm
ibm
Security Bulletin: Security Vulnerabilities in JRE and Java packages affect IBM Voice Gateway
2023-08-14 15:10:52
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Fasterxml jackson-databind [CVE-2023-35116]
2024-04-25 18:29:52
Security Bulletin: IBM Integration Designer is vulnerable to a denial of service (CVE-2023-35116)
2023-07-06 18:33:08
prion
prion
Code injection
2023-06-14 14:15:00
Open redirect
2022-08-23 01:15:00
Design/Logic Flaw
2023-06-14 18:15:00
redhat
redhat
(RHSA-2024:2707) Important: Red Hat Build of Apache Camel security update
2024-05-06 14:08:42
(RHSA-2024:2986) Moderate: python3.11-urllib3 security update
2024-05-22 06:35:16
(RHSA-2024:0187) Moderate: Red Hat OpenStack Platform 17.1 (python-urllib3) security update
2024-01-16 14:14:01
debiancve
debiancve
CVE-2023-35116
2023-06-14 14:15:00
CVE-2021-28861
2022-08-23 01:15:07
CVE-2023-43804
2023-10-04 17:15:10
ubuntucve
ubuntucve
CVE-2023-35116
2023-06-14 00:00:00
CVE-2021-28861
2022-08-23 00:00:00
CVE-2023-43804
2023-10-04 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: pypy3.8-7.3.9-5.3.8.fc37
2022-11-10 22:44:34
[SECURITY] Fedora 35 Update: python3.6-3.6.15-5.fc35
2022-10-01 01:26:05
[SECURITY] Fedora 36 Update: pypy3.7-7.3.9-4.3.7.fc36
2022-10-28 11:16:46
suse
suse
Security update for python3 (important)
2022-10-06 00:00:00
Security update for python (moderate)
2022-10-04 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:3593-1)
2022-10-17 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3512-2)
2022-10-18 00:00:00
Fedora: Security Advisory for pypy3.9 (FEDORA-2022-61d8e8d880)
2022-10-24 00:00:00
osv
osv
python3.5 vulnerability
2022-09-22 18:52:20
http.server: Open Redirection if the URL path starts with //
2022-08-23 00:00:00
BIT-python-2021-28861
2024-03-06 11:06:51
redhatcve
redhatcve
CVE-2023-35116
2023-08-22 17:50:09
CVE-2023-2976
2023-07-01 06:23:57
CVE-2021-28861
2022-08-23 13:09:44
atlassian
atlassian
com.google.guava:guava Dependency in Confluence Data Center and Server
2024-02-14 20:46:01
com.google.guava:guava Dependency in Jira Service Management Data Center and Server
2024-02-12 03:45:36
Info Disclosure com.google.guava:guava in Jira Software Data Center and Server
2023-11-14 03:45:23
veracode
veracode
Information Disclosure
2022-10-10 23:00:45
Information Disclosure
2023-10-06 12:09:49
ubuntu
ubuntu
Python vulnerability
2022-09-22 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-28861 affecting package python3 3.7.13-2
2022-09-17 05:56:36
CVE-2021-28861 affecting package python3 for versions less than 3.9.19-1
2022-09-16 06:05:37
CVE-2023-2976 affecting package javapackages-bootstrap for versions less than 1.5.0-5
2024-04-09 20:48:36
rocky
rocky
python3.11-urllib3 security update
2024-06-14 13:59:30
almalinux
almalinux
Moderate: python3.11-urllib3 security update
2024-05-22 00:00:00
Moderate: python3.11-urllib3 security update
2024-04-30 00:00:00
f5
f5
K000138600 : Python vulnerability CVE-2023-43804
2024-02-13 00:00:00
redos
redos
ROS-20240507-03
2024-05-07 00:00:00
ROS-20240405-02
2024-04-05 00:00:00
cgr
cgr
CVE-2023-43804 vulnerabilities
2024-05-19 03:07:16
githubexploit
githubexploit
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Python Urllib3
2023-10-13 06:15:45
oraclelinux
oraclelinux
python3.11-urllib3 security update
2024-05-23 00:00:00
wolfi
wolfi
CVE-2023-43804 vulnerabilities
2024-06-30 21:08:34
alpinelinux
alpinelinux
CVE-2023-43804
2023-10-04 17:15:10

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.8%

JSON
Related for ORACLE_OBIEE_CPU_APR_2024_OAS_7.NASL
nessus47cvelist7vulnrichment2nvd7cve7ibm29prion3redhat3debiancve4ubuntucve3fedora13suse2openvas35osv11redhatcve4atlassian3veracode2ubuntu1cbl_mariner5rocky1almalinux2f51redos2cgr1githubexploit1oraclelinux1wolfi1alpinelinux1