CVE-2024-20904: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Pod Admin) affects versions 6.4.0.0.0 and 12.2.1.4.0. This vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition, with potential significant impact on additional products (Oracle CPU Jan 2024).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.0 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. The scoring indicates that the vulnerability is network accessible, requires low attack complexity, needs low privileges, requires no user interaction, has changed scope, and can impact confidentiality but not integrity or availability (Oracle CPU Jan 2024).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. The scope change indicates that the vulnerability's impact may extend beyond the vulnerable component to affect additional products (Oracle CPU Jan 2024).

Oracle has released patches for this vulnerability as part of the January 2024 Critical Patch Update. The patches are available for Oracle Business Intelligence Enterprise Edition versions 6.4.0.0.0 and 12.2.1.4.0. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible (Oracle CPU Jan 2024).

The vulnerability was discovered and reported by TungHT, AnhNH, and ChauUHM of Sacombank, demonstrating collaborative security research efforts in identifying and responsibly disclosing the vulnerability (Oracle CPU Jan 2024).