What is CVE-2021-2401?

CVE-2021-2401 is a vulnerability in Oracle Business Intelligence that allows remote attackers to disclose sensitive information.

Is authentication required to exploit CVE-2021-2401?

No, authentication is not required to exploit CVE-2021-2401.

Which software versions of Oracle Business Intelligence are affected by CVE-2021-2401?

Oracle BI Publisher versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 are affected by CVE-2021-2401.

What is the severity of CVE-2021-2401?

CVE-2021-2401 has a severity rating of 7.5 (High).

Are there any references related to CVE-2021-2401?

Yes, you can find more information about CVE-2021-2401 at the following references: [Oracle Security Alerts](https://www.oracle.com/security-alerts/cpujul2021.html) and [Zero Day Initiative](https://www.zerodayinitiative.com/advisories/ZDI-21-887/).

What is the CWE (Common Weakness Enumeration) ID of CVE-2021-2401?

The CWE ID of CVE-2021-2401 is 611.

Vulnerability/
CVE-2021-2401

high

7.5

CWE

611

20/7/2021

26/9/2024

19/1/2025

CVE-2021-2401: Oracle Business Intelligence DOMParser XML External Entity Processing Information Disclosure Vulnerability

First published: Tue Jul 20 2021(Updated: )

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle Business Intelligence. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DOMParser endpoint, which listens on TCP port 9502 by default. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the service account.

Credit: secalert_us@oracle.com

Affected Software	Affected Version	How to fix
Oracle BI Publisher	=5.5.0.0.0
Oracle BI Publisher	=11.1.1.9.0
Oracle BI Publisher	=12.2.1.3.0
Oracle BI Publisher	=12.2.1.4.0
Oracle Business Intelligence Enterprise Edition

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-2401?
CVE-2021-2401 is a vulnerability in Oracle Business Intelligence that allows remote attackers to disclose sensitive information.
How does CVE-2021-2401 impact Oracle Business Intelligence?
CVE-2021-2401 allows remote attackers to disclose sensitive information on affected installations of Oracle Business Intelligence.
Is authentication required to exploit CVE-2021-2401?
No, authentication is not required to exploit CVE-2021-2401.
Which software versions of Oracle Business Intelligence are affected by CVE-2021-2401?
Oracle BI Publisher versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 are affected by CVE-2021-2401.
What is the severity of CVE-2021-2401?
CVE-2021-2401 has a severity rating of 7.5 (High).
Are there any references related to CVE-2021-2401?
Yes, you can find more information about CVE-2021-2401 at the following references: [Oracle Security Alerts](https://www.oracle.com/security-alerts/cpujul2021.html) and [Zero Day Initiative](https://www.zerodayinitiative.com/advisories/ZDI-21-887/).
What is the CWE (Common Weakness Enumeration) ID of CVE-2021-2401?
The CWE ID of CVE-2021-2401 is 611.

collector/nvd-index
agent/references
agent/type
agent/severity
agent/title
agent/author
agent/weakness
agent/description
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
collector/zdi-advisory
source/ZDI
alias/ZDI-21-887
alias/ZDI-CAN-13067
alias/CVE-2021-2401
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/tags
agent/softwarecombine
agent/event
agent/source
vendor/oracle
canonical/oracle bi publisher
version/oracle bi publisher/5.5.0.0.0
version/oracle bi publisher/11.1.1.9.0
version/oracle bi publisher/12.2.1.3.0
version/oracle bi publisher/12.2.1.4.0
canonical/oracle business intelligence enterprise edition