Cyber Resilience

CVE-2020-14864

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 October 2020

Published
21 October 2020
Modified
27 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9402 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14864 is a high-severity Path Traversal (CWE-22) vulnerability in Oracle Business Intelligence. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-14864 is a path traversal vulnerability, tracked under CWE-22, in the Installation component of Oracle Business Intelligence Enterprise Edition within Oracle Fusion Middleware. The flaw affects versions 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 and carries a CVSS 3.1 base score of 7.5 with a vector indicating network-accessible exploitation without authentication or user interaction, resulting solely in high confidentiality impact.

An unauthenticated attacker with network access via HTTP can exploit the issue to obtain unauthorized access to critical data or full access to all Oracle Business Intelligence Enterprise Edition data accessible to the product.

Oracle's October 2020 Critical Patch Update addresses the vulnerability, and the flaw appears in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Public exploit code demonstrating local file inclusion has also been published.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business…

more

Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
business intelligence
12.2.1.3.0, 12.2.1.4.0, 5.5.0.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policies to block unauthenticated HTTP requests that exploit the path traversal flaw.

prevent

Requires validation of HTTP input parameters to reject path traversal sequences such as '../' before they reach the vulnerable Installation component.

prevent

Mandates timely application of the October 2020 CPU patch that eliminates the path traversal vulnerability in Oracle BI EE.

References