CVE-2023-22105: 
Oracle Analytics Publisher vulnerability analysis and mitigation

Vulnerability in the BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher accessible data as well as unauthorized read access to a subset of BI Publisher accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts) (Oracle Advisory).

The vulnerability has a CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating network accessibility, low attack complexity, requiring low privileges and user interaction. The scope is changed, meaning the vulnerability can affect components beyond the vulnerable component. The vulnerability impacts both confidentiality and integrity at a low level, with no impact on availability (Oracle Advisory).

The vulnerability can lead to unauthorized access to read and modify BI Publisher data. Additionally, due to the scope change characteristic, the vulnerability may affect other connected systems or products beyond the immediate BI Publisher environment (Oracle Advisory).

Oracle has released security patches for the affected versions (6.4.0.0.0 and 7.0.0.0.0) as part of the October 2023 Critical Patch Update. It is strongly recommended that customers apply these security patches without delay to address the vulnerability (Oracle Advisory).