CVE-2021-2400
published 2021-07-21CVE-2021-2400: Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
83.30%
99.6th percentile
Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle_corporation | bi_publisher | — | — |
| oracle_corporation | bi_publisher | — | — |
| oracle_corporation | bi_publisher | — | — |
| oracle_corporation | bi_publisher | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-2400 affects Oracle BI Publisher via HTTP with no authentication required; monitor for unauthenticated HTTP requests targeting Oracle BI Publisher (E-Business Suite - XDO component) endpoints ↗
- →Affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 of Oracle BI Publisher; use version detection to identify unpatched instances ↗
- ·The vulnerability is network-exploitable over HTTP with no authentication (PR:N, UI:N, AC:L), meaning no special configuration is required for exploitation — any exposed Oracle BI Publisher instance on the affected versions is at risk ↗
- ·The vulnerable component is specifically the E-Business Suite - XDO component within Oracle BI Publisher; detections should be scoped to that component ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_oracle7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: E-Business Suite - XDO — CVE-2021-2400
vendor_oracle·2021-07-15·CVSS 7.5
CVE-2021-2400 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: E-Business Suite - XDO — CVE-2021-2400
Oracle Oracle Fusion Middleware Risk Matrix: E-Business Suite - XDO vulnerability
CVE: CVE-2021-2400
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
GHSA
GHSA-xv58-2569-gmpq: Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO)
ghsa_unreviewed·2022-05-24
CVE-2021-2400 [HIGH] GHSA-xv58-2569-gmpq: Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO)
Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-21
Published