Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_OBIEE_CPU_JUL_2023_OAS.NASL
HistoryJul 21, 2023 - 12:00 a.m.

Oracle Business Intelligence Enterprise Edition (OAS) (July 2023 CPU)

2023-07-2100:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
57
JSON

The version of Oracle Business Intelligence Enterprise Edition (OAS) 6.4.0.0.0 and 7.0.0.0 installed on the remote host are affected by a vulnerability as referenced in the July 2023 CPU advisory.

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Server (Apache Hive)). Supported versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
    (CVE-2018-1282)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Visual Analyzer (jackson-databind)). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2022-33980)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Visual Analyzer (CKEditor)). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2023-28439)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(178710);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/24");

  script_cve_id(
    "CVE-2018-1282",
    "CVE-2019-10086",
    "CVE-2019-17531",
    "CVE-2020-11988",
    "CVE-2021-33813",
    "CVE-2021-36090",
    "CVE-2021-37533",
    "CVE-2021-41183",
    "CVE-2021-41184",
    "CVE-2022-1471",
    "CVE-2022-24891",
    "CVE-2022-25647",
    "CVE-2022-29361",
    "CVE-2022-31777",
    "CVE-2022-33980",
    "CVE-2022-42003",
    "CVE-2022-46364",
    "CVE-2022-48285",
    "CVE-2023-1436",
    "CVE-2023-20861",
    "CVE-2023-22011",
    "CVE-2023-22013",
    "CVE-2023-22020",
    "CVE-2023-22021",
    "CVE-2023-22061",
    "CVE-2023-28439"
  );
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"IAVA", value:"2023-A-0558");
  script_xref(name:"IAVA", value:"2023-A-0559");

  script_name(english:"Oracle Business Intelligence Enterprise Edition (OAS) (July 2023 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an information disclosure vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Business Intelligence Enterprise Edition (OAS) 6.4.0.0.0 and 7.0.0.0 installed on the remote
host are affected by a vulnerability as referenced in the July 2023 CPU advisory. 

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Server (Apache Hive)). Supported versions that are affected are 6.4.0.0.0, 
    7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network 
    access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of 
    this vulnerability can result in unauthorized creation, deletion or modification access to critical data 
    or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to 
    critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
    (CVE-2018-1282)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Visual Analyzer (jackson-databind)). Supported versions that are affected are 6.4.0.0.0 and 
    7.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP 
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability 
    can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of 
    Oracle Business Intelligence Enterprise Edition. (CVE-2022-33980)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Visual Analyzer (CKEditor)). Supported versions that are affected are 6.4.0.0.0 and 
    7.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP 
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human 
    interaction from a person other than the attacker and while the vulnerability is in Oracle Business 
    Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). 
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to 
    some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read 
    access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2023-28439)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujul2023cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2023.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2023 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-33980");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-46364");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_analytics_server_installed.nbin");
  script_require_keys("installed_sw/Oracle Analytics Server");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Analytics Server');

# based on Oracle CPU data
var constraints = [
  {'min_version': '6.4.0.0.0', 'fixed_version': '6.4.0.0.230629', 'fixed_display': '6.4.0.0.230629 patch: 35551080'},
  {'min_version': '7.0.0.0.0', 'fixed_version': '7.0.0.0.230710', 'fixed_display': '7.0.0.0.230710 patch: 35584677'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
oraclebusiness_intelligencecpe:/a:oracle:business_intelligence

References

Related

nessus 27
redhat 3
ibm 38
openvas 23
fedora 9
f5 1
prion 13
debian 3
cve 13
debiancve 7
osv 23
redhatcve 5
cnvd 2
veracode 8
github 6
cbl_mariner 2
ubuntucve 9
mageia 2
amazon 1
symantec 1
suse 1
huntr 1
githubexploit 1
nessus
nessus
Oracle Business Intelligence Publisher (OBIEE) (July 2023 CPU)
2023-07-21 00:00:00
Oracle Identity Manager (October 2023 CPU)
2023-10-20 00:00:00
Oracle Business Intelligence Enterprise Edition (OAS 7.0) (October 2023 CPU)
2023-10-20 00:00:00
redhat
redhat
(RHSA-2023:3667) Moderate: Red Hat Integration Camel Extensions for Quarkus 2.13.3 security update
2023-06-19 16:31:18
(RHSA-2022:9032) Important: Red Hat build of Eclipse Vert.x 4.3.4 security update
2022-12-15 12:38:08
(RHSA-2019:4192) Important: rh-maven35-jackson-databind security update
2019-12-10 15:26:25
ibm
ibm
Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184)
2022-03-03 17:06:48
Security Bulletin: Multiple vulnerabilities in jQuery-UI affect IBM Tivoli Netcool Impact (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184)
2021-12-10 10:54:12
Security Bulletin: IBM Aspera Orchestrator was vulnerable to cross-site scripting due to multiple JQuery vulnerabilities (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182)
2023-02-02 20:55:36
openvas
openvas
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-013ab302be)
2021-12-04 00:00:00
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-ab38307fc3)
2021-12-04 00:00:00
Fedora: Security Advisory for js-jquery-ui (FEDORA-2021-51c256bf87)
2021-12-04 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34
2021-11-20 01:11:49
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35
2021-11-20 01:08:33
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33
2021-11-20 01:45:55
f5
f5
K50455702 : jQuery vulnerabilities CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
2022-03-28 00:00:00
prion
prion
Buffer overflow
2023-07-18 21:15:00
Directory traversal
2023-01-29 05:15:00
Cross site scripting
2022-11-01 16:15:00
debian
debian
[SECURITY] [DLA 3230-1] jqueryui security update
2022-12-07 10:30:55
[SECURITY] [DLA 2696-1] libjdom2-java security update
2021-06-29 11:12:57
[SECURITY] [DSA 5307-1] libcommons-net-java security update
2022-12-29 21:45:12
cve
cve
CVE-2023-22061
2023-07-18 21:15:15
CVE-2023-22020
2023-07-18 21:15:12
CVE-2022-48285
2023-01-29 05:15:10
debiancve
debiancve
CVE-2022-48285
2023-01-29 05:15:10
CVE-2020-11988
2021-02-24 18:15:00
CVE-2022-24891
2022-04-27 21:15:00
osv
osv
jqueryui - security update
2022-12-07 00:00:00
CVE-2022-24891
2022-04-27 21:15:08
PYSEC-2022-42976
2022-11-01 16:15:00
redhatcve
redhatcve
CVE-2022-48285
2023-01-31 05:35:23
CVE-2022-31777
2022-11-23 16:56:13
CVE-2020-11988
2021-03-01 19:34:27
cnvd
cnvd
Apache Spark Injection Vulnerability
2022-11-03 00:00:00
OWASP ESAPI Cross-Site Scripting Vulnerability
2022-04-29 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2022-11-02 02:13:04
Directory Traversal
2023-02-06 04:51:43
XML External Entity (XXE)
2021-02-26 07:08:00
github
github
JSZip contains Path Traversal via loadAsync
2023-01-29 06:30:52
Server-side request forgery (SSRF) in Apache XmlGraphics Commons
2022-02-09 00:45:56
Apache Spark vulnerable to Log Injection
2022-11-01 19:00:29
cbl_mariner
cbl_mariner
CVE-2022-48285 affecting package mozjs for versions less than 102.15.1-1
2024-03-19 17:21:46
CVE-2022-48285 affecting package mozjs60 60.9.0-11
2023-07-28 23:16:55
ubuntucve
ubuntucve
CVE-2020-11988
2021-02-24 00:00:00
CVE-2022-24891
2022-04-27 00:00:00
CVE-2023-20861
2023-03-23 00:00:00
mageia
mageia
Updated xmlgraphics-commons packages fix a security vulnerability
2021-03-18 12:56:09
Updated jdom/jdom2 packages fix a security vulnerability
2021-07-27 23:21:53
amazon
amazon
Medium: xmlgraphics-commons
2024-01-03 21:04:00
symantec
symantec
FasterXML Jackson-databind CVE-2019-17531 Remote Code Execution Vulnerability
2019-10-12 00:00:00
suse
suse
Security update for jdom2 (important)
2021-07-13 00:00:00
huntr
huntr
CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439
2023-04-18 14:37:27
githubexploit
githubexploit
Exploit for Vulnerability in Apache Commons Configuration
2022-07-08 09:25:42
JSON
Related for ORACLE_OBIEE_CPU_JUL_2023_OAS.NASL
nessus27redhat3ibm38openvas23fedora9f51prion13debian3cve13debiancve7osv23redhatcve5cnvd2veracode8github6cbl_mariner2ubuntucve9mageia2amazon1symantec1suse1huntr1githubexploit1