Vulnerability CVE-2004-1370


Published: 2004-08-04   Modified: 2012-02-12

Description:
Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4) WK_ADM.COMPLETE_ACL_SNAPSHOT, (5) WK_ACL.DELETE_ACLS_WITH_STATEMENT, or (6) DRILOAD.VALIDATE_STMT.

Vendor: Oracle
Product: Oracle9i 
Version:
standard_9.2.0.5
standard_9.2.0.4
standard_9.2.0.3
standard_9.2.0.2
standard_9.2.0.1
standard_9.2
standard_9.0.2
standard_9.0.1.5
standard_9.0.1.4
standard_9.0.1.3
standard_9.0.1.2
standard_9.0.1
standard_9.0
standard_8.1.7
personal_9.2.0.5
personal_9.2.0.4
personal_9.2.0.3
personal_9.2.0.2
personal_9.2.0.1
personal_9.2
personal_9.0.1.5
personal_9.0.1.4
personal_9.0.1
personal_8.1.7
enterprise_9.2.0.5
enterprise_9.2.0.4
enterprise_9.2.0.3
enterprise_9.2.0.2
enterprise_9.2.0.1
enterprise_9.2.0
enterprise_9.0.1.5
enterprise_9.0.1.4
enterprise_9.0.1
enterprise_8.1.7
client_9.2.0.2
client_9.2.0.1
Product: Oracle10g 
Version:
standard_9.0.4_.0
standard_10.1_.0.2
personal_9.0.4_.0
personal_10.1_.0.2
enterprise_9.0.4_.0
enterprise_10.1.0.2
Product: Oracle8i 
Version:
standard_8.1.7_.4
standard_8.1.7_.1
standard_8.1.7_.0.0
standard_8.1.7
standard_8.1.6
standard_8.1.5
standard_8.0.6_.3
standard_8.0.6
enterprise_8.1.7_.4
enterprise_8.1.7_.1.0
enterprise_8.1.7_.0.0
enterprise_8.1.6_.1.0
enterprise_8.1.6_.0.0
enterprise_8.1.5_.1.0
enterprise_8.1.5_.0.2
enterprise_8.1.5_.0.0
enterprise_8.0.6_.0.1
enterprise_8.0.6_.0.0
enterprise_8.0.5_.0.0
Product: Collaboration suite 
Version: release_1;
Product: Application server 
Version:
9.0.4.1
9.0.4.0
9.0.4
9.0.3.1
9.0.3
9.0.2.3
9.0.2.2
9.0.2.1
9.0.2.0.1
9.0.2.0.0
9.0.2
Product: Enterprise manager 
Version: 9.0.1; 9;
Product: E-business suite 
Version:
11.5.9
11.5.8
11.5.7
11.5.6
11.5.5
11.5.4
11.5.3
11.5.2
11.5.1
Product: Enterprise manager database control 
Version: 10.1.2;
Product: Enterprise manager grid control 
Version: 10.1.0.2;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
http://www.kb.cert.org/vuls/id/316206
http://xforce.iss.net/xforce/xfdb/18665
http://www.securityfocus.com/bid/10871
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
http://www.ngssoftware.com/advisories/oracle23122004H.txt
http://marc.theaimsgroup.com/?l=bugtraq&m=110382596129607&w=2
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1

Related CVE
CVE-2017-10010
Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: FileUploads). Supported versions that are affected are 2.0.0, 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low...
CVE-2017-10003
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Network Services Library). The supported version that is affected is 10. Difficult to exploit vulnerability allows low privileged attacker with logon to the in...
CVE-2017-10000
Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Reporting). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged a...
CVE-2019-2879
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols...
CVE-2019-2878
Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: HTTP data path subsystems). The supported version that is affected is 8.8.3. Easily exploitable vulnerability allows unauthenticated...
CVE-2019-2877
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2876
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2875
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...

Copyright 2019, cxsecurity.com

 

Back to Top