⚠ Actively exploited

Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2019-2616

7 documents7 sources

Severity

7.2HIGH

EPSS

94.0%

top 0.11%

CISA KEV

KEV

Added 2022-03-25

Due 2022-04-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Oracle Corporation BI Publisher (formerly XML Publisher)Oracle Business Intelligence Publisher

Timeline

PublishedApr 23

KEV addedMar 25

KEV dueApr 15

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful att…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5oracle_corporation/bi_publisher_(formerly_xml_publisher)11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0+2

▶NVDoracle/business_intelligence_publisher11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0+2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-8j2r-c64f-x52g: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security)↗2022-05-24

▶

CVEList

CVE-2019-2616: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security)↗2019-04-23

▶

VulnCheck

Oracle BI Publisher Unauthorized Access Vulnerability↗2019

▶

💥Exploits & PoCs

Exploit-DB

Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection↗2019-04-19

▶

Nuclei

Oracle Business Intelligence/XML Publisher - XML External Entity Injection

▶

📋Vendor Advisories

CISA

Oracle BI Publisher Unauthorized Access Vulnerability↗2022-03-25

▶