gsd - gsd-2024-21083

gsd-2024-21083

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Aliases

CVE-2024-21083

Aliases

CVE-2024-21083

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2024-21083",
    "id": "GSD-2024-21083"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-21083"
      ],
      "details": "Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine).  Supported versions that are affected are 7.0.0.0.0 and  12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher.  Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).",
      "id": "GSD-2024-21083",
      "modified": "2023-12-13T01:21:42.686831Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert_us@oracle.com",
        "ID": "CVE-2024-21083",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BI Publisher (formerly XML Publisher)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "7.0.0.0.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "12.2.1.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Oracle Corporation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine).  Supported versions that are affected are 7.0.0.0.0 and  12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher.  Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher.  Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher."
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.oracle.com/security-alerts/cpuapr2024.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Script Engine).  Supported versions that are affected are 7.0.0.0.0 and  12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle BI Publisher.  Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)."
          },
          {
            "lang": "es",
            "value": "Vulnerabilidad en el producto Oracle BI Publisher de Oracle Analytics (componente: Script Engine). Las versiones compatibles que se ven afectadas son 7.0.0.0.0 y 12.2.1.4.0. Una vulnerabilidad f\u00e1cilmente explotable permite a un atacante con altos privilegios y acceso a la red a trav\u00e9s de HTTP comprometer Oracle BI Publisher. Los ataques exitosos a esta vulnerabilidad pueden resultar en la adquisici\u00f3n de Oracle BI Publisher. CVSS 3.1 Puntuaci\u00f3n base 7.2 (impactos en la confidencialidad, la integridad y la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)."
          }
        ],
        "id": "CVE-2024-21083",
        "lastModified": "2024-04-17T12:48:31.863",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 5.9,
              "source": "secalert_us@oracle.com",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-04-16T22:15:27.953",
        "references": [
          {
            "source": "secalert_us@oracle.com",
            "url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
          }
        ],
        "sourceIdentifier": "secalert_us@oracle.com",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}

cve-2024-21083

Vulnerability from cvelistv5

Published

2024-04-16 21:26

Modified

2024-08-01 22:13

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuapr2024.html	vendor-advisory

Impacted products

▼	Vendor	Product
	Oracle Corporation	BI Publisher (formerly XML Publisher)

Show details on NVD website