CVE-2025-30723 in BI Publisher
Summary
by MITRE • 04/16/2025
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher. CVSS 3.1 Base Score 5.4 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability identified as CVE-2025-30723 affects Oracle BI Publisher within the Oracle Analytics suite, specifically targeting the XML Services component. This weakness exists in two major version lines including 7.6.0.0.0 and 12.2.1.4.0, making it a significant concern for organizations utilizing these platforms. The vulnerability falls under the Common Weakness Enumeration category CWE-20, which represents "Improper Input Validation," indicating that the system fails to properly validate or sanitize input data before processing. The attack vector requires network access via HTTP, making it accessible to remote attackers who may not possess high privileges within the system.
The technical flaw stems from insufficient validation mechanisms within the XML Services component that processes incoming requests. An attacker with low privileges can exploit this weakness by crafting malicious HTTP requests that manipulate the XML processing functionality. This vulnerability enables unauthorized modification of data through update, insert, or delete operations on accessible database elements within the Oracle BI Publisher environment. The impact extends beyond data integrity concerns to include partial denial of service conditions, where the attacker can disrupt normal operations by consuming system resources or corrupting service functionality. The CVSS 3.1 scoring of 5.4 reflects the moderate severity level, with integrity and availability being the primary affected components.
From an operational perspective, this vulnerability presents a substantial risk to organizations relying on Oracle BI Publisher for business intelligence reporting and data analysis. The low privilege requirement combined with network accessibility means that even casual attackers can potentially exploit this weakness without requiring extensive insider knowledge or elevated system access. The partial denial of service capability can disrupt business operations, particularly when critical reporting systems become unavailable or corrupted. Organizations may experience data integrity issues that could compromise the accuracy of business intelligence reports and analytics. The vulnerability's impact is particularly concerning in environments where BI Publisher serves as a central data processing hub for decision-making processes.
Mitigation strategies should focus on immediate patching of affected versions, as Oracle is likely to release security updates addressing this specific weakness. Network segmentation and firewall rules can help limit access to the affected services, while implementing robust input validation measures can reduce the attack surface. Organizations should consider restricting HTTP access to the XML Services component and implementing additional authentication layers. Regular security assessments and monitoring for anomalous access patterns can help detect exploitation attempts. The vulnerability aligns with ATT&CK technique T1059.007 for XML External Entity (XXE) attacks, suggesting that similar exploitation patterns may be applicable. Implementing proper access controls and privilege separation can limit the potential impact of successful exploitation attempts, while comprehensive logging and audit trails can aid in forensic analysis if incidents occur.