CVE-2021-2396

Name of the Vulnerable Software and Affected Versions Oracle BI Publisher versions 5.5.0.0.0 through 12.2.1.4.0

Description The issue is related to insufficient input validation in the E-Business Suite - XDO component of Oracle BI Publisher, part of the Oracle Fusion Middleware platform. This can be exploited by a remote attacker to execute arbitrary code and gain full control over the application via the HTTP protocol. The vulnerability can be easily exploited by a low-privileged attacker with network access.

Recommendations For versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, consider disabling the UpdateConnectionServlet until a patch is available to prevent potential JNDI injection and remote code execution attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.