Security Advisory

Privilege escalation in Oracle Identity Analytics

By exploiting IDOR vulnerabilities, a low privileged adversary can gain access to datasets from other accounts.

Advisory ID: MLSA-2018-001
CVE: CVE-2018-3168
Severity: high
Affected versions: ≤
Fixed versions: >
Discovered by: Hans-Martin Münch

Product description

Oracle Identity Analytics provides enterprises with the ability to define and manage roles and automate critical identity-based controls. Once roles are defined, certified, and assigned, the software continues to deliver scalable and sustainable identity governance.


Oracle Identity Analytics uses Direct Web Remoting (DWR) to implement Remote Procedure Calls from the Web Interface. The methods that can be accessed using DWR don’t validate if the current user has access to the objects referenced by the provided IDs. This can be abused to access to gain access to data from other users.

Coordinated Disclosure Timeline

  • xx/xx/2018 Report to Oracle
  • 16/10/2018 Release of Oracle Critical Patch Update.