Back to KEVs

CVE-2012-3152

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote...

Basic Information

CVE State
PUBLISHED
Reserved Date
June 06, 2012
Published Date
October 16, 2012
Last Updated
February 10, 2025
Vendor
Oracle
Product
Fusion Middleware
Description
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.
Tags
cisa metasploit_scanner

CVSS Scores

CVSS v3.1

9.1 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2.0

6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-11-03 00:00:00 UTC) Source

References

http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/ http://www.exploit-db.com/exploits/31253 http://www.osvdb.org/86394 http://www.securityfocus.com/bid/55955 http://www.osvdb.org/86395 http://www.youtube.com/watch?v=NinvMDOj7sM http://seclists.org/fulldisclosure/2014/Jan/186 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html https://exchange.xforce.ibmcloud.com/vulnerabilities/79295 http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_reports_rce.rb 2025-04-29 11:01:22 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Metasploit