Summary
| Detail | |||
|---|---|---|---|
| Vendor | Oracle | First view | 2005-05-02 |
| Product | Database Server | Last view | 2023-10-17 |
| Version | 10.1.0.3 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:oracle:database_server | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2023-10-17 | CVE-2023-22096 | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). |
| 4.9 | 2023-10-17 | CVE-2023-22077 | Vulnerability in the Oracle Database Recovery Manager component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having DBA account privilege with network access via Oracle Net to compromise Oracle Database Recovery Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Database Recovery Manager. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). |
| 2.4 | 2023-10-17 | CVE-2023-22075 | Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Create Any View, Select Any Table privilege with network access via Oracle Net to compromise Oracle Database Sharding. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. CVSS 3.1 Base Score 2.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L). |
| 2.4 | 2023-10-17 | CVE-2023-22074 | Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Select Any Dictionary privilege with network access via Oracle Net to compromise Oracle Database Sharding. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. CVSS 3.1 Base Score 2.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L). |
| 4.3 | 2023-10-17 | CVE-2023-22073 | Vulnerability in the Oracle Notification Server component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle Notification Server executes to compromise Oracle Notification Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Notification Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). |
| 5.9 | 2023-10-17 | CVE-2023-22071 | Vulnerability in the PL/SQL component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Execute on sys.utl_http privilege with network access via Oracle Net to compromise PL/SQL. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PL/SQL, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PL/SQL accessible data as well as unauthorized read access to a subset of PL/SQL accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PL/SQL. CVSS 3.1 Base Score 5.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L). |
| 3.1 | 2023-07-18 | CVE-2023-22052 | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data. CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). |
| 4.9 | 2023-07-18 | CVE-2023-22034 | Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Easily exploitable vulnerability allows high privileged attacker having SYSDBA privilege with network access via Oracle Net to compromise Unified Audit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Unified Audit accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). |
| 3.7 | 2023-07-18 | CVE-2023-21949 | Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Advanced Networking Option accessible data. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). |
| 8.5 | 2007-11-08 | CVE-2007-5897 | Buffer overflow in MDSYS.SDO_CS in Oracle Database Server 8iR3, 9iR1, 9iR2 up to 9.2.0.6, and 10gR1 up to 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via the TRANSFORM function. NOTE: this issue might already be covered by CVE-2007-5515, CVE-2007-5509, or CVE-2007-5505, but there are insufficient details to be sure. |
| 9 | 2006-10-17 | CVE-2006-5343 | Unspecified vulnerability in Database Scheduler component in Oracle Database 10.1.0.3 has unknown impact and remote authenticated attack vectors related to sys.dbms_scheduler, aka Vuln# DB19. |
| 7.1 | 2006-10-17 | CVE-2006-5342 | Unspecified vulnerability in Oracle Spatial component in Oracle Database 9.0.1.5, 9.2.0.6, and 10.1.0.3 has unknown impact and remote authenticated attack vectors related to mdsys.sdo_tune, aka Vuln# DB18. NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB18 might be related to SQL injection in the EXTENT_OF function. |
| 7.5 | 2006-02-03 | CVE-2006-0551 | SQL injection vulnerability in the Data Pump Metadata API in Oracle Database 10g and possibly earlier might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB06 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0259 or, if it is DB05, subsumed by CVE-2006-0260. |
| 10 | 2006-01-18 | CVE-2006-0256 | Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01. |
| 10 | 2005-11-02 | CVE-2005-3445 | Multiple unspecified vulnerabilities in HTTP Server in Oracle Database Server 8i up to 10.1.0.4.2 and Application Server 1.0.2.2 up to 10.1.2.0 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB30 and AS03 or (2) DB31 and AS05. |
| 10 | 2005-11-02 | CVE-2005-3443 | Unspecified vulnerability in the Spatial component in Oracle Database Server from 9i up to 10.1.0.3 has unknown impact and attack vectors, aka Oracle Vuln# DB17. |
| 10 | 2005-11-02 | CVE-2005-3440 | Unspecified vulnerability in Database Scheduler in Oracle Database Server 10g up to 10.1.0.3 has unknown impact and attack vectors, aka Oracle Vuln# DB08. |
| 10 | 2005-11-02 | CVE-2005-3438 | Multiple unspecified vulnerabilities in Oracle Database Server 9i up to 10.1.0.4.2 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB04 in Change Data Capture; (2) DB06 in Data Guard Logical Standby; (3) DB10 in Locale; (4) DB12 in Materialized Views; (5) DB13 in Objects Extension; (6) DB15 in Oracle Label Security; (7) DB27 in Security, possibly due to a buffer overflow in sys.pbsde.init; and (8) DB28 and (9) DB29 in Workspace Manager. |
| 10 | 2005-11-02 | CVE-2005-3437 | Unspecified vulnerability in the PL/SQL component in Oracle Database Server 9i up to 10.1.0.4 has unknown impact and attack vectors, aka Oracle Vuln# DB01. |
| 7.5 | 2005-05-02 | CVE-2005-1197 | SQL injection vulnerability in the SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET procedure in Oracle Database Server 10g allows remote attackers to execute arbitrary SQL commands via the CHANGE_SET_NAME parameter. |
| 5 | 2005-05-02 | CVE-2005-0298 | The DIRECTORY objects in Oracle 8i through Oracle 10g contain the location of a specific operating system directory, which allows users with read privileges to a DIRECTORY object to obtain sensitive information. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (1) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
SAINT Exploits
| Description | Link |
|---|---|
| Oracle Security Component sys.pbsde buffer overflow | More info here |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 40081 | Oracle Database MDSYS.SDO_CS TRANSFORM Function Remote Overflow |
| 31460 | Oracle Database Scheduler sys.dbms_scheduler Unspecified Issue |
| 31459 | Oracle Database Spatial mdsys.sdo_tune Unspecified Issue |
| 22643 | Oracle Database Data Pump Metadata API DBMS_METADATA Unspecified Procedure SQ... |
| 22637 | Oracle Database Data Pump Metadata API DBMS_METADATA_INT Multiple Procedure S... |
| 22544 | Oracle Database Data Pump Metadata API DBMS_DATAPUMP Multiple Procedure SQL I... |
| 22543 | Oracle Database Data Pump Metadata API DBMS_METADATA_UTIL Multiple Procedure ... |
| 22539 | Oracle Database Advanced Queuing sys.dbms_aqadm_sys* Unspecified SQL Issue |
| 20616 | Oracle Database/Application HTTP Server Unspecified Remote Issue |
| 20615 | Oracle Database/Application HTTP Server Unspecified Local Issue |
| 20614 | Oracle Database Workspace Manager sys.lt_ctx_pkg Unspecified SQL Issue |
| 20613 | Oracle Database Workspace Manager sys.lt Unspecified SQL Issue |
| 20612 | Oracle Database Security Component sys.pbsde.init Procedure Overflow |
| 20601 | Oracle Database Spatial mdsys.sdo_tune Unspecified SQL Issue |
| 20600 | Oracle Database Spatial mdsys.sdo_rtree_admin Unspecified SQL Issue |
| 20599 | Oracle Database Spatial mdsys.sdo_idx Unspecified Difficult SQL Issue |
| 20597 | Oracle Database Label Security lbacsys.lbac_session Unspecified SQL Issue |
| 20595 | Oracle Database Objects Extensions map methods Unspecified SQL Issue |
| 20594 | Oracle Database Materialized Views sys.dbms_snapshot Unspecified SQL Issue (D... |
| 20592 | Oracle Database Locale sys.utl_i18n Unspecified Trivial DoS |
| 20590 | Oracle Database Scheduler sys.dbms_scheduler Unspecified Difficult SQL Issue |
| 20588 | Oracle Database Data Guard Logical Standby sys.dbms_logstdby Unspecified Tri... |
| 20586 | Oracle Database Change Data Capture sys.dbms_cdc_subscribe Unspecified Trivia... |
| 20583 | Oracle Database PL/SQL sys.standard Unspecified SQL Issue |
| 15813 | Oracle Database Server Change Data Capture DBMS_CDC_IPUBLISH CREATE_SCN_CHANG... |
OpenVAS Exploits
| id | Description |
|---|---|
| 2011-12-07 | Name : Oracle Database Server Multiple Unspecified Vulnerabilities File : nvt/gb_oracle_database_mult_unspecified_vuln.nasl |
| 2011-12-07 | Name : Oracle Database Server Multiple Vulnerabilities - Oct 06 File : nvt/gb_oracle_database_server_mult_vuln_oct06.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | sys.pbsde.init buffer overflow attempt RuleID : 4642 - Type : SERVER-ORACLE - Revision : 8 |
| 2014-01-10 | DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt RuleID : 17480 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_ISUBSCRIBE.SUBSCRIBE arbitrary command execution attempt RuleID : 17479 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.SUBSCRIBE arbitrary command execution attempt RuleID : 17478 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION arbitrary command execution attempt RuleID : 17477 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.PURGE_WINDOW arbitrary command execution attempt RuleID : 17476 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION arbitrary command execution attempt RuleID : 17475 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt RuleID : 17474 - Type : SERVER-ORACLE - Revision : 6 |
| 2014-01-10 | DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW arbitrary command execution attempt RuleID : 17473 - Type : SERVER-ORACLE - Revision : 9 |
| 2014-01-10 | DBMS_METADATA Package SQL Injection attempt RuleID : 17270 - Type : SERVER-ORACLE - Revision : 7 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2012-01-24 | Name: The remote web server may be affected by multiple vulnerabilities. File: oracle_application_server_pci.nasl - Type: ACT_GATHER_INFO |
| 2011-11-16 | Name: The remote database server is affected by multiple vulnerabilities. File: oracle_rdbms_cpu_jan_2006.nasl - Type: ACT_GATHER_INFO |
| 2011-11-16 | Name: The remote database server is affected by multiple vulnerabilities. File: oracle_rdbms_cpu_oct_2006.nasl - Type: ACT_GATHER_INFO |
