This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Path Traversal (Local File Inclusion) flaw in Oracle BI Enterprise Edition.β¦
π‘οΈ **Root Cause**: Improper input validation in the `getPreviewImage` endpoint. β οΈ **Flaw**: Allows attackers to manipulate file paths to access files outside the intended directory (LFI).
Q3Who is affected? (Versions/Components)
π’ **Vendor**: Oracle Corporation. π¦ **Product**: Business Intelligence Enterprise Edition. π **Affected Versions**: Specifically **5.5.0.0.0**, **12.2.1.3.0**, and **12.2.1.4.0**.
Q4What can hackers do? (Privileges/Data)
π» **Privileges**: Unauthenticated access required. π **Data**: High impact on Confidentiality (C:H). Attackers can read arbitrary local files, potentially exposing credentials, configs, or source code.
Q5Is exploitation threshold high? (Auth/Config)
π **Auth**: None required (PR:N). π **Network**: Remote (AV:N). π― **Complexity**: Low (AC:L). **Threshold**: VERY LOW. Easy to exploit over the internet without login.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **PoC**: Yes. Available via Nuclei templates and PacketStorm. π **Exploitation**: Publicly known technique. High risk of automated scanning and exploitation in the wild.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for the `getPreviewImage` endpoint. π‘ **Tool**: Use Nuclei or similar scanners targeting CVE-2020-14864. π§ͺ **Test**: Attempt path traversal payloads to see if local files are returned.
Q8Is it fixed officially? (Patch/Mitigation)
π‘οΈ **Fix**: Official patch released by Oracle in **October 2020** (CPU Oct 2020). π **Ref**: See Oracle Security Alerts CPU Oct 2020 for details.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, restrict HTTP access to the BI server. π« **Block**: Use WAF rules to block requests containing `../` in the `getPreviewImage` parameter. π **Isolate**: Network segmentation.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: HIGH. π¨ **Priority**: Critical. Since it requires **no authentication** and has **low complexity**, immediate patching or mitigation is essential to prevent data exfiltration.