Multiple vulnerabilities in Oracle Hyperion Planning
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-2770 CVE-2019-2861 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Hyperion Planning Web applications / CRM systems |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU35669
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-2770
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Smart View). The supported version that is affected is 11.1.2.4. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsHyperion Planning: 11.1.2.4
CPE2.3 External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU35685
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-2861
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote privileged user to manipulate data.
Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsHyperion Planning: 11.1.2.4
CPE2.3 External linkshttp://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
