CVE-2012-3152

CRITICAL KEV

Oracle Reports Developer - Info Disclosure

Title source: llm

Description

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/31737

View Code ZIP pw:eip

exploitdb WORKING POC

by Mekanismen · rubyremotejsp

https://www.exploit-db.com/exploits/31253

View Code ZIP pw:eip

References (12)

[Broken Link] http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/

[Broken Link] http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2014/Jan/186

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/31253

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

[Patch, Vendor Advisory] http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

[Broken Link] http://www.osvdb.org/86394

[Broken Link] http://www.osvdb.org/86395

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/55955

[Exploit] http://www.youtube.com/watch?v=NinvMDOj7sM

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/79295

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-3152

Scores

CVSS v3 9.1

EPSS 0.9354

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-01-01

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2012-3130

Status published

Products (3)

oracle/fusion_middleware 11.1.1.4.0

oracle/fusion_middleware 11.1.1.6.0

oracle/fusion_middleware 11.1.2.0

Published Oct 16, 2012

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026