CVE-2024-20987: 
Oracle Analytics Publisher vulnerability analysis and mitigation

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server) affects version 12.2.1.4.0. This easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle BI Publisher. The vulnerability was disclosed in January 2024 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability has a CVSS v3.1 Base Score of 5.4 (Medium severity) with Confidentiality and Integrity impacts. The attack vector is Network (AV:N), with Low attack complexity (AC:L), requires Low privileges (PR:L), and User interaction (UI:R). The scope is Changed (S:C), with Low impacts to both Confidentiality (C:L) and Integrity (I:L), and No impact to Availability (A:N) (NVD).

Successful exploitation can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products due to scope change (Oracle CPU).

Oracle has released patches to address this vulnerability as part of the January 2024 Critical Patch Update. Users should apply the security patches as soon as possible to mitigate the risk (Oracle CPU).