<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Skip to content
Right-Side-Virsec-Large Group-Dots-Light Sections
Nov 18, 2020 7:18:17 AM

CVE-2020-14864 Oracle Business Intelligence Enterprise Edition LFI

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

A Local File Inclusion vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface can read arbitrary system files.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 7.5 (High)

Affected Version

Supported versions that are affected are, and

Vulnerability Attribution

This issue was reported publicly by Ivo Palazzolo.

Risk Impact

Oracle Business Intelligence (BI) is a portfolio of technology and applications that provides Enterprise Performance Management System, including BI foundation and tools - integrated array of query, reporting, analysis, alerting, mobile analytics, data integration and management, etc.

Oracle BI is one of part of  Oracle Fusion Middleware which has a good market share of around 9% as per this link. Any exploit of this vulnerabilities could lead to exposure of all sensitive data that resides on the server, which could lead to leakage of proprietary information. Publicly available exploit of this vulnerability is available.

Virsec Security Platform (VSP) Support

The Virsec security platform (VSP)-Web capability can detect such a LFI attack and prevent this attack from being exploited.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Right-Side-Virsec-Large Group-Dots-Light Sections