Vulnerability CVE-2004-1367


Published: 2004-08-04   Modified: 2012-02-12

Description:
Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.4/10
6.4/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Oracle -> Application server 
Oracle -> Collaboration suite 
Oracle -> E-business suite 
Oracle -> Enterprise manager 
Oracle -> Enterprise manager database control 
Oracle -> Enterprise manager grid control 
Oracle -> Oracle10g 
Oracle -> Oracle8i 
Oracle -> Oracle9i 

 References:
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
http://www.kb.cert.org/vuls/id/316206
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
http://www.ngssoftware.com/advisories/oracle23122004D.txt
http://marc.theaimsgroup.com/?l=bugtraq&m=110382247308064&w=2
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1

Copyright 2021, cxsecurity.com

 

Back to Top