SB20260422128 - Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition
Published: April 22, 2026 Updated: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-35116)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.
2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
3) Command Injection (CVE-ID: CVE-2025-59419)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary SMTP commands.
The vulnerability exists due to insufficient input validation in the SMTP codec. A remote attacker can pass specially crafted data to the application and forge arbitrary emails from the trusted server.
4) Information disclosure (CVE-ID: CVE-2021-28168)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. A local attacker can gain unauthorized access to sensitive information on the system.
5) Code Injection (CVE-ID: CVE-2025-33042)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability occurs when generating specific records from untrusted Avro schemas. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
6) Input validation error (CVE-ID: CVE-2025-24970)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in SslHandler when using native SSLEngine. A remote attacker can send a specially crafted packet to the application and perform a denial of service (DoS) attack.
7) Resource exhaustion (CVE-ID: CVE-2023-52428)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. A remote attacker can send a specially crafted request using a large JWE p2c header, trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Resource exhaustion (CVE-ID: CVE-2025-58057)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in BrotliDecoder and some other decompressing decoders. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Improper handling of highly compressed data (CVE-ID: CVE-2026-21441)
CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the application does not properly handle highly compressed data when sending HTTP redirect responses. A remote attacker can multiple large requests to the application, consume all available CPU and memory resources and perform a denial of service attack.
10) Protection Mechanism Failure (CVE-ID: CVE-2025-46762)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when parsing Avro schema from a Parquet file metadata. A remote attacker can trick the victim into installing a malicious package and execute arbitrary code on the system.
Note, the default setting of trusted packages still allows malicious classes from these packages to be executed.
11) Stack-based buffer overflow (CVE-ID: CVE-2025-15467)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters. A remote attacker can supply a specially crafted CMS message with an oversized IV, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Improper access control (CVE-ID: CVE-2025-48734)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
13) Deserialization of Untrusted Data (CVE-ID: CVE-2026-27830)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in the userOverridesAsString property of c3p0 ConnectionPoolDataSource implementations when processing maliciously crafted Java-serialized objects or javax.naming.Reference instances. A remote user can reset this property or supply crafted serialized objects or references to execute arbitrary code.
The impact can be amplified when embedded JNDI references trigger dereferencing of a remote factoryClassLocation.
14) Improper input validation (CVE-ID: CVE-2026-27727)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Platform Security (Mchange Commons Java) component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Remediation
Install update from vendor's website.