CVE-2024-21082

CRITICAL

Oracle BI Publisher 7.0.0.0.0 and 12.2.1.4.0 - Unauthenticated XML External Entity Injection via XML Services

Title source: llm

Description

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2024.html

Scores

CVSS v3 9.8

EPSS 0.0081

EPSS Percentile 51.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-611

Status published

Products (2)

oracle/bi_publisher 7.0.0.0.0

oracle/bi_publisher 12.2.1.4.0

Published Apr 16, 2024

Tracked Since Feb 18, 2026