Login Sign Up

CVE-2020-14864

7.5 HIGH

📋 TL;DR

CVE-2020-14864 is a local file inclusion vulnerability in Oracle Business Intelligence Enterprise Edition that allows unauthenticated attackers to read sensitive files on the server via HTTP requests. This affects Oracle BI EE versions 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0. Attackers can exploit this to access critical configuration files, credentials, and other sensitive data.

💻 Affected Systems

Products:
  • Oracle Business Intelligence Enterprise Edition
Versions: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
Operating Systems: All supported platforms for Oracle BI EE
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Installation component of Oracle Fusion Middleware. All default installations of affected versions are vulnerable.

📦 What is this software?

Business Intelligence by Oracle

View all CVEs affecting Business Intelligence →

Business Intelligence by Oracle

View all CVEs affecting Business Intelligence →

Business Intelligence by Oracle

View all CVEs affecting Business Intelligence →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle BI EE accessible data including database credentials, configuration files, and sensitive business intelligence data, potentially leading to data exfiltration and further system compromise.

🟠

Likely Case

Unauthorized access to configuration files containing database credentials, allowing attackers to pivot to database systems and exfiltrate sensitive business data.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only exposing non-sensitive files if file permissions are properly configured.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances extremely vulnerable to automated scanning and exploitation.
🏢 Internal Only: MEDIUM - While still exploitable, internal-only deployments have reduced attack surface but remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available on Packet Storm Security. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update October 2020

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2020.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart the Oracle BI EE services. 4. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Oracle BI EE instances to only trusted IP addresses and networks.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Application Firewall Rules

all

Implement WAF rules to block path traversal attempts and local file inclusion patterns.

ModSecurity rule: SecRule REQUEST_URI "@rx \.\.(/|%2f)" "id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'"
Add WAF rule to block patterns like '../', '..\\', and file:// protocols

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Oracle BI EE instances only to authorized users and systems.
  • Deploy a web application firewall with rules specifically designed to detect and block path traversal and local file inclusion attacks.

🔍 How to Verify

Check if Vulnerable:

Check if your Oracle BI EE version is 5.5.0.0.0, 12.2.1.3.0, or 12.2.1.4.0. Test with a non-destructive LFI test using a known safe file path.

Check Version:

Check Oracle BI EE version through the administration console or by examining installation logs and configuration files.

Verify Fix Applied:

Verify the patch has been applied by checking the version and attempting to reproduce the vulnerability with a safe test payload.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing path traversal sequences (../, ..\\)
  • Unusual file access patterns in application logs
  • Multiple failed attempts to access system files

Network Indicators:

  • HTTP requests with unusual file paths or traversal sequences
  • Traffic patterns indicating file enumeration attempts

SIEM Query:

source="oracle_bi_logs" AND (http_uri="*../*" OR http_uri="*..\\*" OR http_uri="*file:*")

📊 Metadata

CVE ID: CVE-2020-14864
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: October 21, 2020
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14864, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)