CVE-2021-2401: 
Oracle Analytics Publisher vulnerability analysis and mitigation

CVE-2021-2401 is a vulnerability in Oracle Business Intelligence DOMParser that allows remote attackers to disclose sensitive information on affected installations. The vulnerability affects Oracle Business Intelligence versions prior to 0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. The vulnerability was discovered in March 2021 and publicly disclosed in July 2021 (ZDI Advisory).

The vulnerability exists within the DOMParser endpoint, which listens on TCP port 9502 by default. The specific flaw is due to improper restriction of XML External Entity (XXE) references. When a crafted document specifying a URI is processed, the XML parser accesses the URI and embeds the contents back into the XML document for further processing. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (ZDI Advisory).

An attacker can leverage this vulnerability to disclose sensitive information in the context of the service account. The vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Business Intelligence (ZDI Advisory).

Oracle has issued an update to correct this vulnerability as part of the July 2021 Critical Patch Update. Users should apply the security patches without delay to protect their systems (ZDI Advisory, Oracle Advisory).