SB20241015222 - Multiple vulnerabilities in Oracle BI Publisher
Published: October 15, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-38809)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing ETags from "If-Match" or "If-None-Match" request headers. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2024-21195)
The vulnerability allows a remote authenticated user to read, manipulate or delete data.
The vulnerability exists due to improper input validation within the Layout Templates component in Oracle BI Publisher. A remote authenticated user can exploit this vulnerability to read, manipulate or delete data.
3) Improper input validation (CVE-ID: CVE-2024-21254)
The vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Web Server component in Oracle BI Publisher. A remote authenticated user can exploit this vulnerability to execute arbitrary code.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-29736)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input passed via the WADL stylesheet parameter. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability requires that a custom stylesheet parameter is configured.
Remediation
Install update from vendor's website.