Cyber Resilience

CVE-2019-2616

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 April 2019

Published
23 April 2019
Modified
12 January 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.9399 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-2616 is a high-severity an unspecified weakness vulnerability in Oracle Business Intelligence Publisher. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an easily exploitable flaw in the BI Publisher Security subcomponent of Oracle BI Publisher (formerly XML Publisher) within Oracle Fusion Middleware. It affects supported versions 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0. The issue permits unauthorized access that can affect data confidentiality and integrity, with a CVSS 3.0 base score of 7.2 reflecting network-accessible attack vectors without authentication.

An unauthenticated attacker with network access via HTTP can exploit the flaw to compromise BI Publisher and potentially impact additional Oracle products. Successful exploitation grants the ability to perform unauthorized updates, inserts, or deletions on some accessible data, along with read access to a subset of that data, without requiring user interaction.

The referenced Oracle Critical Patch Update for April 2019 addresses the issue through available patches for the affected Fusion Middleware versions. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise…

more

BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data as well as unauthorized read access to a subset of BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 7.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
business intelligence publisher
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on BI Publisher data, blocking the unauthenticated HTTP requests that allow unauthorized read/write access.

AC-17 Remote Access partial match
prevent

Restricts and authorizes remote network (HTTP) access to the BI Publisher component, limiting the attack surface exploited by unauthenticated attackers.

prevent

Requires timely application of the April 2019 Critical Patch Update that remediates the BI Publisher Security flaw.

References