CVE-2012-3152

CRITICAL CISA KEV

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Published: Oct 16, 2012 Modified: Apr 21, 2026

NVD-CWE-noinfo

CVSS Metrics

CVSSv3

Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products (3)

Vendor	Product	Version
oracle	fusion_middleware	11.1.1.4.0
oracle	fusion_middleware	11.1.1.6.0
oracle	fusion_middleware	11.1.2.0

GitHub Security Advisory GHSA-x6c2-j4cw-94j8

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware...

References (23)

http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ Broken Link
http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/ Broken Link
http://seclists.org/fulldisclosure/2014/Jan/186 Mailing List, Third Party Advisory
http://www.exploit-db.com/exploits/31253 Exploit, Third Party Advisory, VDB Entry
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 Broken Link
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html Patch, Vendor Advisory
http://www.osvdb.org/86394 Broken Link
http://www.osvdb.org/86395 Broken Link
http://www.securityfocus.com/bid/55955 Broken Link, Third Party Advisory, VDB Entry
http://www.youtube.com/watch?v=NinvMDOj7sM Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/79295 Third Party Advisory, VDB Entry
http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ Broken Link
http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/ Broken Link
http://seclists.org/fulldisclosure/2014/Jan/186 Mailing List, Third Party Advisory
http://www.exploit-db.com/exploits/31253 Exploit, Third Party Advisory, VDB Entry

Risk Scores

CVSS Score 9.1 / 10

EPSS Score 93.54%

Top 0% most likely to be exploited

Threat Score 94.5 / 100

CISA Known Exploited

Date Added: 2021-11-03

Due Date: 2022-05-03

Required Action:

Apply updates per vendor instructions.

Data Sources

NVD CISA KEV EPSS GitHub