Detections
Analytics

Oracle Reports Servlet Remote File Access

medium Nessus Plugin ID 73119

Language:

Synopsis

The remote web server hosts a web application that has a file access vulnerability.

Description

Nessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution.

Solution

Apply the appropriate patch per the vendor's advisory.

See Also

http://www.nessus.org/u?c969a07f

http://www.nessus.org/u?87547c81

Plugin Details

Severity: Medium

ID: 73119

File Name: oracle_reports_file_access.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 3/20/2014

Updated: 5/28/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2012-3152

Vulnerability Information

CPE: cpe:/a:oracle:fusion_middleware

Required KB Items: www/oracle_reports

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 10/16/2012

Vulnerability Publication Date: 10/16/2012

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Exploitable With

Core Impact

Metasploit (Oracle Forms and Reports Remote Code Execution)

Reference Information

CVE: CVE-2012-3152

BID: 55955