Lucene search
K

Oracle Business Intelligence Enterprise Edition (October 2025 CPU)

🗓️ 18 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Oracle Business Intelligence Enterprise Edition has multiple October 2025 CPU vulnerabilities affecting several versions.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses uthentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.
9 Jul 202507:25
ibm
IBM Security Bulletins
Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)
3 Sep 202518:09
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2025-48976)
15 Aug 202509:21
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in Apache Commons IO affects IBM watsonx Assistant for IBM Cloud Pak for Data
5 Feb 202520:46
ibm
IBM Security Bulletins
Security Bulletin: Denial of Service vulnerability in Apache Commons IO affects IBM Business Automation Workflow - CVE-2024-47554
7 Feb 202516:25
ibm
IBM Security Bulletins
Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to multiple Apache Tomcat vulnerabilities (CVE-2025-48976, CVE-2025-48988)
17 Jul 202518:27
ibm
IBM Security Bulletins
Security Bulletin: IBM SPSS Analytic Server is affected by a Denial of Service (DoS) vulnerability in Apache Commons FileUpload.
20 Sep 202500:54
ibm
IBM Security Bulletins
Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the org.apache.commons.io.input.XmlStreamReader class.
3 Jan 202511:04
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (March 2025)
27 Mar 202516:18
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in commons-io affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-47554]
20 Jun 202510:31
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(275601);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/18");

  script_cve_id(
    "CVE-2024-12797",
    "CVE-2024-47554",
    "CVE-2025-48976",
    "CVE-2025-53049"
  );

  script_name(english:"Oracle Business Intelligence Enterprise Edition (October 2025 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The 8.2.0.0.0 and 12.2.1.4.0 versions of Oracle Business Intelligence Enterprise Edition installed on the remote host
are affected by multiple vulnerabilities as referenced in the October 2025 CPU advisory.

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics
    (component: Analytics Web Administration). Supported versions that are affected are 7.6.0.0.0 and
    8.2.0.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human
    interaction from a person other than the attacker and while the vulnerability is in Oracle Business
    Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change).
    Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise
    Edition. (CVE-2025-53049)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics
    (component: Platform Security (Apache Commons FileUpload)). Supported versions that are affected are
    7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with
    network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks
    of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2025-48976)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics
    (component: Analytics Server (Cryptography)). Supported versions that are affected are 7.6.0.0.0 and
    8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human
    interaction from a person other than the attacker. Successful attacks of this vulnerability can result in
    unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition
    accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise
    Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of
    Oracle Business Intelligence Enterprise Edition. (CVE-2024-12797)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics
    (component: Analytics Server (Apache Commons IO)). Supported versions that are affected are 7.6.0.0.0,
    8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network
    access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require
    human interaction from a person other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business
    Intelligence Enterprise Edition. (CVE-2024-47554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuoct2025csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2025.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2025 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-53049");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-48976");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/10/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_analytics_server_installed.nbin");
  script_require_keys("installed_sw/Oracle Analytics Server");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Analytics Server');

var constraints = [
  {'min_version': '7.6.0.0.0', 'fixed_version': '7.6.0.0.250905', 'fixed_display': '7.6.0.0.250905 patch: 38396889'},
  {'min_version': '8.2.0.0.0', 'fixed_version': '8.2.0.0.250924', 'fixed_display': '8.2.0.0.250924 patch: 38465292'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Nov 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.4
EPSS0.63258
SSVC
4