CVE-2019-2767

HIGH EXPLOITED IN THE WILD NUCLEI

Oracle Fusion Middleware - Unauthenticated RCE

Title source: llm

Description

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data as well as unauthorized read access to a subset of BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 7.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Nuclei Templates (1)

Oracle Business Intelligence Publisher - XML External Entity Injection

HIGHby madrobot

References (1)

[Patch, Vendor Advisory] http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Scores

CVSS v3 7.2

EPSS 0.4989

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2024-09-19

InTheWild.io 2021-10-14

Status published

Products (1)

oracle/bi_publisher 11.1.1.9.0

Published Jul 23, 2019

Tracked Since Feb 18, 2026