SB2023071977 - Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition
Published: July 19, 2023 Updated: March 14, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-22027)
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to perform service disruption.
2) Improper input validation (CVE-ID: CVE-2023-22021)
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to perform service disruption.
3) Improper input validation (CVE-ID: CVE-2023-22012)
The vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to manipulate data.
4) Improper input validation (CVE-ID: CVE-2023-22013)
The vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to manipulate data.
5) Improper input validation (CVE-ID: CVE-2023-22061)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Visual Analyzer component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.
6) Stored cross-site scripting (CVE-ID: CVE-2022-31777)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in log viewer UI. A remote attacker can permanently inject arbitrary JavaScript code into the application logs and execute it in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Improper input validation (CVE-ID: CVE-2023-22020)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.
8) Improper input validation (CVE-ID: CVE-2023-22011)
The vulnerability allows a remote authenticated user to manipulate or delete data.
The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to manipulate or delete data.
9) Cross-site scripting (CVE-ID: CVE-2023-28439)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the Iframe Dialog and Media Embed packages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
10) Cross-site scripting (CVE-ID: CVE-2021-41183)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing values of various `*Text` options. A remote attacker can pass specially crafted input to the library and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Insufficient verification of data authenticity (CVE-ID: CVE-2021-37533)
The vulnerability allows an attacker to redirect victim to a malicious host.
The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.
12) Protection mechanism failure (CVE-ID: CVE-2019-10086)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.
13) Path traversal (CVE-ID: CVE-2022-48285)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to insufficient sanitization of user-supplied in the loadAsync() method. A remote attacker can pass a specially crafted ZIP archive to the application and overwrite arbitrary files on the system.
14) Deserialization of Untrusted Data (CVE-ID: CVE-2022-42003)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure input validation when processing serialized data when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.
15) Uncontrolled Recursion (CVE-ID: CVE-2023-1436)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
16) Resource exhaustion (CVE-ID: CVE-2021-36090)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
17) Improper input validation (CVE-ID: CVE-2019-0227)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core (Apache Axis) component in Oracle Communications Design Studio. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
18) Deserialization of Untrusted Data (CVE-ID: CVE-2022-25647)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
19) XML External Entity injection (CVE-ID: CVE-2021-33813)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the SAXBuilder. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
20) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-24998)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.
21) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-11988)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the XMPParser in Apache XmlGraphics Commons. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
22) SQL injection (CVE-ID: CVE-2018-1282)
The vulnerability allows a remote attacker to bypass security restriction and execute arbitrary SQL commands in web application database.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script, bypass the argument escaping and cleanup functionality that the JDBC driver performs in the PreparedStatement implementation and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
23) Code Injection (CVE-ID: CVE-2022-33980)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
24) Deserialization of Untrusted Data (CVE-ID: CVE-2022-1471)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) XML External Entity injection (CVE-ID: CVE-2019-13990)
The vulnerability allows a remote attacker to conduct an XML External Entity (XXE) attack on a targeted system.
The vulnerability exists due to insufficient validation of user-supplied XML input in the "initDocumentParser" function in the "xml/XMLSchedulingDataProcessor.java" file. A remote authenticated attacker can submit a malicious job description to the targeted system and conduct an XXE attack.
26) Input validation error (CVE-ID: CVE-2019-17531)
The vulnerability allows a remote attacker to compromise the affected software.
The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.
27) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-29361)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
Remediation
Install update from vendor's website.