CVE-2020-14864
Published: 21 October 2020
Summary
CVE-2020-14864 is a high-severity Path Traversal (CWE-22) vulnerability in Oracle Business Intelligence. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-14864 is a path traversal vulnerability, tracked under CWE-22, in the Installation component of Oracle Business Intelligence Enterprise Edition within Oracle Fusion Middleware. The flaw affects versions 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 and carries a CVSS 3.1 base score of 7.5 with a vector indicating network-accessible exploitation without authentication or user interaction, resulting solely in high confidentiality impact.
An unauthenticated attacker with network access via HTTP can exploit the issue to obtain unauthorized access to critical data or full access to all Oracle Business Intelligence Enterprise Edition data accessible to the product.
Oracle's October 2020 Critical Patch Update addresses the vulnerability, and the flaw appears in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Public exploit code demonstrating local file inclusion has also been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-7000
Vulnerability details
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business…
more
Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies to block unauthenticated HTTP requests that exploit the path traversal flaw.
Requires validation of HTTP input parameters to reject path traversal sequences such as '../' before they reach the vulnerable Installation component.
Mandates timely application of the October 2020 CPU patch that eliminates the path traversal vulnerability in Oracle BI EE.