CVE-2023-21891: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer). Supported versions affected are 5.9.0.0.0 and 6.4.0.0.0. This vulnerability allows low privileged attackers with network access via HTTP to compromise the system, requiring human interaction from a person other than the attacker. The vulnerability was disclosed in January 2023 (Oracle CPU).

The vulnerability has a CVSS 3.1 Base Score of 5.4 (Confidentiality and Integrity impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The attack requires network access and low privileges, with required user interaction. The scope is changed, with low impacts on confidentiality and integrity, but no impact on availability (Oracle CPU).

Successful exploitation can result in unauthorized update, insert or delete access to some Oracle Business Intelligence Enterprise Edition accessible data, as well as unauthorized read access to a subset of accessible data. While the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products due to scope change (Oracle CPU).

Oracle has released security patches for the affected versions (5.9.0.0.0 and 6.4.0.0.0) as part of the January 2023 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU).

The vulnerability was reported by AnhNH, ChauUHM, and TungHT of Sacombank, who were acknowledged in Oracle's Critical Patch Update Advisory (Oracle CPU).