CVE-2019-2861 - OpenCVE

Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Oracle	Hyperion Planning

Configuration 1 [-]

cpe:2.3:a:oracle:hyperion_planning:11.1.2.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

History

Wed, 02 Oct 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2019-07-23T22:31:51

Updated: 2024-10-01T16:35:26.938Z

Reserved: 2018-12-14T00:00:00

Link: CVE-2019-2861

Vulnrichment

Updated: 2024-08-04T19:03:43.241Z

NVD

Status : Modified

Published: 2019-07-23T23:15:46.303

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-2861

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Hyperion Planning", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "11.1.2.4"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}], "problemTypes": [{"descriptions": [{"description": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-31T21:06:09", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2019-2861", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Hyperion Planning", "version": {"version_data": [{"version_affected": "=", "version_value": "11.1.2.4"}]}}]}, "vendor_name": "Oracle Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data."}]}]}, "references": {"reference_data": [{"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"name": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:03:43.241Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T16:16:05.717730Z", "id": "CVE-2019-2861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T16:35:26.938Z"}}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2019-2861", "datePublished": "2019-07-23T22:31:51", "dateReserved": "2018-12-14T00:00:00", "dateUpdated": "2024-10-01T16:35:26.938Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:03:43.241Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-2861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T16:16:05.717730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T16:16:54.963Z"}}], "cna": {"affected": [{"vendor": "Oracle Corporation", "product": "Hyperion Planning", "versions": [{"status": "affected", "version": "11.1.2.4"}]}], "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "tags": ["x_refsource_MISC"]}, {"url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2019-07-31T21:06:09"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "11.1.2.4", "version_affected": "="}]}, "product_name": "Hyperion Planning"}]}, "vendor_name": "Oracle Corporation"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC"}, {"url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html", "name": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data."}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-2861", "STATE": "PUBLIC", "ASSIGNER": "secalert_us@oracle.com"}}}}, "cveMetadata": {"cveId": "CVE-2019-2861", "state": "PUBLISHED", "dateUpdated": "2024-10-01T16:35:26.938Z", "dateReserved": "2018-12-14T00:00:00", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2019-07-23T22:31:51", "assignerShortName": "oracle"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:hyperion_planning:11.1.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "86045AB3-7CCA-49D0-B6FA-DA57A55248DE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}, {"lang": "es", "value": "Una vulnerabilidad en el componente Oracle Hyperion Planning de Hyperion de Oracle (subcomponente: Segurity). La versi\u00f3n compatible que est\u00e1 afectada es 11.1.2.4. Una vulnerabilidad dif\u00edcil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de HTTP comprometer a Oracle Hyperion Planning. Los ataques con \u00e9xito requieren la interacci\u00f3n humana de una persona distinta al atacante. Los ataques con \u00e9xito de esta vulnerabilidad pueden resultar en la creaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n no autorizada de los datos cr\u00edticos o de todos los datos accesibles de Oracle Hyperion Planning. CVSS 3.0 Puntuaci\u00f3n Base 4.2 (Impactos de integridad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N)."}], "id": "CVE-2019-2861", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-23T23:15:46.303", "references": [{"source": "secalert_us@oracle.com", "url": "http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html"}, {"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}