CVE-2022-21609: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server). The supported version that is affected is 5.9.0.0. This vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. The vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data (Oracle CPU Oct 2022).

The vulnerability has been assigned a CVSS 3.1 Base Score of 5.7, indicating a medium severity level. The CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N), which breaks down to: Network attack vector, Low attack complexity, Low privileges required, User interaction required, Unchanged scope, High confidentiality impact, and No impact on integrity or availability (NVD).

The primary impact of this vulnerability is on data confidentiality. If successfully exploited, it can lead to unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. The vulnerability specifically affects the confidentiality of the system while having no direct impact on system integrity or availability (Oracle CPU Oct 2022).

Oracle has released security patches to address this vulnerability as part of the October 2022 Critical Patch Update. Organizations using Oracle Business Intelligence Enterprise Edition version 5.9.0.0 should apply the security patches without delay to protect against potential exploitation (Oracle CPU Oct 2022).