Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the PARSEQUERY function allows remote attackers to obtain database credentials via reports/rwservlet/parsequery, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3152 to execute arbitrary code by uploading a .jsp file.
CVE-2012-3153
Score elevated to 9.0 because EPSS predicts 92% probability of exploitation within the next 30 days (top 0.3% of all CVEs). Confidence: see factors.
- High exploitation likelihood — EPSS 98%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 99.9%
- KEV
- Not listed
Published
October 16, 2012
Last Modified
April 29, 2026
References (16)
- secalert_us@oraclehttp://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
- secalert_us@oraclehttp://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/
- secalert_us@oraclehttp://seclists.org/fulldisclosure/2014/Jan/186
- secalert_us@oraclehttp://www.exploit-db.com/exploits/31253
- secalert_us@oraclehttp://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- secalert_us@oraclehttp://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- secalert_us@oraclehttp://www.securityfocus.com/bid/55961
- secalert_us@oraclehttps://exchange.xforce.ibmcloud.com/vulnerabilities/79296
- af854a3a-2127-422b-91ae-364da2661108http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
- af854a3a-2127-422b-91ae-364da2661108http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/
- af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2014/Jan/186
- af854a3a-2127-422b-91ae-364da2661108http://www.exploit-db.com/exploits/31253
- af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/55961
Data Freshness Timeline
(refreshed 2× in last 7d / 12× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 16:23 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-28 14:03 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-10 22:14 UTCEPSS rescore
- 2026-06-10 13:18 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 02:13 UTCEG score recompute
- 2026-05-29 02:13 UTCGHSA enrichment
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
Show 14 moreShow fewer
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-24 16:43 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(4 references)Working exploit code is in the public domain (1 Metasploit module) (1 GitHub PoC) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-31253First seen Jan 29, 2014
Oracle Forms and Reports 11.1 - Arbitrary Code Execution
Open source ↗ - GitHub PoCMekanismen/pwnacle-fusionFirst seen Jan 28, 2014
Automated exploit for CVE-2012-3153 / CVE-2012-3152
Open source ↗ - Metasploitexploit/multi/http/oracle_reports_rce✓ verifiedFirst seen Jan 15, 2014
Oracle Forms and Reports Remote Code Execution
Open source ↗ - Nucleihttp/cves/2012/CVE-2012-3153.yamlFirst seen Jan 1, 2012
Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
Open source ↗
Frequently asked(4)
What is CVE-2012-3153?
When was CVE-2012-3153 disclosed?
Is CVE-2012-3153 actively exploited?
How do I remediate CVE-2012-3153?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2012-3153
Is Your Infrastructure Affected by CVE-2012-3153?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.