Information
The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the capability to grant access to any single or multiple combinations of objects to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.
Rationale:
The GRANT ANY OBJECT PRIVILEGE capability can allow an unauthorized user to potentially access or change confidential data, or damage the data catalog due to potential complete instance access.
Solution
To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;
References:
http://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99914