CVE-2024-20979 in BI Publisher
Summary
by MITRE • 01/17/2024
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2025
The vulnerability identified as CVE-2024-20979 represents a significant security weakness within Oracle BI Publisher's web server component, affecting versions 6.4.0.0.0, 7.0.0.0.0, and 12.2.1.4.0 of the Oracle Analytics platform. This vulnerability operates within the context of a widely deployed business intelligence solution that serves as a critical component for data visualization and reporting across enterprise environments. The affected Oracle BI Publisher product is part of the broader Oracle Analytics suite, which provides comprehensive business intelligence capabilities including data analysis, reporting, and dashboard creation for organizations of all sizes.
The technical flaw manifests as an easily exploitable vulnerability that requires minimal privileges to initiate attacks, specifically targeting the web server component of Oracle BI Publisher. This vulnerability operates with a CVSS 3.1 base score of 5.4, indicating a medium severity threat that combines confidentiality and integrity impacts. The attack vector requires network access via HTTP, making it accessible to remote attackers without requiring physical access to the system. The vulnerability's classification as requiring low privilege access means that an attacker with minimal authentication credentials could potentially exploit this weakness, while the requirement for human interaction suggests that social engineering or user manipulation may be necessary to complete the attack successfully. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) clearly indicates that this vulnerability is network accessible with low attack complexity, requires low privileges for exploitation, necessitates user interaction, and can cause scope change impacts affecting additional products beyond the primary target.
The operational impact of this vulnerability extends beyond the immediate compromise of Oracle BI Publisher itself, as successful exploitation can result in unauthorized update, insert, or delete operations against sensitive data within the application. Additionally, attackers can gain unauthorized read access to a subset of data that the application has access to, potentially exposing confidential business intelligence reports, financial data, or other sensitive information. The scope change aspect of this vulnerability is particularly concerning as it indicates that while the primary target is Oracle BI Publisher, the attack could potentially impact other connected or dependent systems within the Oracle Analytics ecosystem. This characteristic aligns with the ATT&CK framework's concept of privilege escalation and lateral movement, where initial access to one component can be leveraged to compromise additional systems. The vulnerability's impact on data integrity and confidentiality makes it particularly dangerous for organizations that rely heavily on BI Publisher for mission-critical reporting and decision-making processes.
Organizations should implement immediate mitigations to protect against exploitation of this vulnerability, including applying the relevant Oracle security patches as soon as they become available. Network segmentation and access controls should be strengthened to limit unnecessary HTTP access to the affected components, while monitoring systems should be enhanced to detect unusual access patterns or unauthorized data modifications. The vulnerability's requirement for human interaction suggests that security awareness training for users may help reduce the risk of successful exploitation through social engineering techniques. Organizations should also conduct thorough vulnerability assessments to identify all instances of the affected Oracle BI Publisher versions within their environment and prioritize remediation efforts accordingly. The CWE (Common Weakness Enumeration) classification for this type of vulnerability would likely fall under CWE-200 (Information Exposure) and potentially CWE-284 (Improper Access Control), reflecting the exposure of unauthorized data access and inadequate privilege controls within the application. Regular security audits and penetration testing should be conducted to ensure that the implemented mitigations are effective and that no additional attack surfaces remain unaddressed.