CVE-2023-22109: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Web Dashboards). Supported versions affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. This is an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker (Oracle Advisory).

The vulnerability has a CVSS 3.1 Base Score of 4.6 (Confidentiality and Integrity impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. This indicates a network-exploitable vulnerability with low attack complexity, requiring low privileges and user interaction. The scope is unchanged, with low impacts on confidentiality and integrity, but no impact on availability (NVD).

Successful exploitation can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data (Oracle Advisory).

Oracle has released security patches to address this vulnerability. The fix is included in the October 2023 Critical Patch Update. Oracle strongly recommends that customers apply the security patches as soon as possible (Oracle Advisory).

The vulnerability was discovered and reported by ninh.0x4c of sacombank (Oracle Advisory).