Signature Detail
Short Name |
DB:ORACLE:DBMS-CDC-PUBLISH-INJ |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
DB |
Keywords |
Oracle Database Server DBMS_CDC_PUBLISH SQL Injection |
Release Date |
2010/10/11 |
Update Number |
1789 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
DB: Oracle Database Server DBMS_CDC_PUBLISH SQL Injection
Oracle Database Server contains an SQL injection vulnerability. The vulnerability is due to input validation errors in the DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE procedures of the DBMS_CDC_PUBLISH package. Remote authenticated attackers with EXECUTE permission on the SYS.DBMS_CDC_PUBLISH package can exploit this vulnerability by sending a specially crafted parameter to the affected procedures. Successful exploitation would result in disclosure of information, and modification or manipulation of the data in the underlying database.
Extended Description
Oracle Database is prone to a remote SQL-injection vulnerability in the 'Change Data Capture' component. The vulnerability can be exploited over the 'Oracle Net' protocol. For an exploit to succeed, the attacker must have 'Execute on SYS.DBMS_CDC_PUBLISH' privileges. This vulnerability affects the following supported versions: 9.2.0.8, 9.2.0.8DV
Affected Products
- Oracle Oracle9i Enterprise Edition 9.2.0.8.0
- Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
- Oracle Oracle9i Personal Edition 9.2.0 .8DV
- Oracle Oracle9i Standard Edition 9.2.0.8
- Oracle Oracle9i Standard Edition 9.2.0 .8DV
References
- BugTraq: 39422
- CVE: CVE-2010-0870