Title: Oracle Database Data Pump Metadata API DBMS_METADATA_INT Multiple Procedure SQL Injection
Jan 17, 2006
Oracle Database Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DBMS_METADATA_INT package not properly sanitizing user-supplied input to the MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, or MAKE_FILTER_TEXT procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Local Access Required,
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Jan2006 Critical Patch Update) to address this vulnerability.