Multiple vulnerabilities in Oracle BI Publisher
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-38820 CVE-2025-30723 CVE-2025-30724 CVE-2023-24998 |
| CWE-ID | CWE-254 CWE-20 CWE-770 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
Oracle BI Publisher Other software / Other software solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU98795
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-38820
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle BI Publisher: 7.6.0.0.0
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpuapr2025.html?3240
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU107518
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30723
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate or delete data.
The vulnerability exists due to improper input validation within the XML Services component in Oracle BI Publisher. A remote authenticated user can exploit this vulnerability to manipulate or delete data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle BI Publisher: 7.6.0.0.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_bi_publisher:7.6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?3240
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU107517
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30724
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the XML Services component in Oracle BI Publisher. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle BI Publisher: 7.6.0.0.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_bi_publisher:7.6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?3240
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU72427
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-24998
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle BI Publisher: 7.6.0.0.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_bi_publisher:7.6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?3240
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
