|
|
Info |
Last Modified |
| 8 months ago |
|
|
|
|
Description |
Oracle Database Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DBMS_REGISTRY package not properly sanitizing user-supplied input to the IS_COMPONENT, GET_COMP_OPTION, DISABLE_DDL_TRIGGERS, SCRIPT_EXISTS, COMP_PATH, GATHER_STATS, NOTHING_SCRIPT or VALIDATE_COMPONENTS procedures. This may allow an attacker to inject or manipulate SQL queries in the backend database.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure,
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified,
Vendor Verified
OSVDB:
Web Related
|
|
Solution |
Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Jan2006 Critical Patch Update) to address this vulnerability.
|
|
Products |
|
Database 10g Release 2
 |
10.2.0.1 |
Database 10g Release 1
|
10.1.0.3 |
10.1.0.4 |
10.1.0.5 |
10.1.0.4.2 |
9i Database Release 2
|
9.2.0.6 |
9.2.0.7 |
8i Database Release 3
|
8.1.7.4 |
9i Database Release 1
|
9.0.1.4 |
9.0.1.5 |
9.0.1.5 FIPS |
8 Database Release 8.0.6
|
8.0.6.3 |
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
