CVE-2024-20980: 
Oracle Analytics Publisher vulnerability analysis and mitigation

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0 and 7.0.0.0.0. The vulnerability was discovered by Shayan Mashoof Chinjani of Kian Amn Sadra and was disclosed in January 2024 (Oracle CPU).

This is an easily exploitable vulnerability that allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. The vulnerability has both confidentiality and integrity impacts (Oracle CPU).

Oracle has released security patches to address this vulnerability as part of the January 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU).