CVE-2023-22061: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Visual Analyzer). The supported version that is affected is 6.4.0.0.0. This vulnerability was discovered by Seyed Hosein Sadaty Pakdaman of Kian Amn Sadra and disclosed in July 2023 (Oracle CPU July).

The vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. The vulnerability has a CVSS 3.1 Base Score of 5.4 (Confidentiality and Integrity impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Oracle CPU July).

Successful exploitation can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. While the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products due to scope change (Oracle CPU July).

Oracle has released security patches to address this vulnerability as part of the July 2023 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU July).