|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
|
Description |
Oracle Database Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DBMS_DATAPUMP package not properly sanitizing user-supplied input to the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT procedures. This may allow an attacker to inject or manipulate SQL queries in the backend database.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure,
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified,
Vendor Verified
OSVDB:
Web Related
|
|
Solution |
Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Jan2006 Critical Patch Update) to address this vulnerability.
|
|
Products |
|
Database 10g Release 2
 |
10.2.0.1 |
Database 10g Release 1
|
10.1.0.3 |
10.1.0.4 |
10.1.0.5 |
10.1.0.4.2 |
9i Database Release 2
|
9.2.0.6 |
9.2.0.7 |
8i Database Release 3
|
8.1.7.4 |
9i Database Release 1
|
9.0.1.4 |
9.0.1.5 |
9.0.1.5 FIPS |
8 Database Release 8.0.6
|
8.0.6.3 |
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
