Unspecified vulnerability in the BI Publisher component in Oracle Application Server 5.6.2, 10.1.3.2.1, 10.1.3.3.3, and 10.1.3.4 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2009-0994.
http://www.us-cert.gov/cas/techalerts/TA09-105A.html
http://www.securitytracker.com/id?1022055