ID CVE-2007-3855
Summary Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to have an unknown impact via (1) SYS.DBMS_DRS in the DataGuard component (DB03), (2) SYS.DBMS_STANDARD in the PL/SQL component (DB10), (3) MDSYS.RTREE_IDX in the Spatial component (DB16), and (4) SQL Compiler (DB17). NOTE: a reliable researcher claims that DB17 is for using Views to perform unauthorized insert, update, or delete actions.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:database_server:9.0.1.5
  • cpe:2.3:a:oracle:database_server:9.2.0.8
  • Oracle Database Server 9.2.0.8DV
    cpe:2.3:a:oracle:database_server:9.2.0.8dv
  • Oracle Database Server 10g 10.1.0.5
    cpe:2.3:a:oracle:database_server:10.1.0.5
  • cpe:2.3:a:oracle:database_server:10.2.0.3
CVSS
Base: 6.5 (as of 20-07-2007 - 08:07)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description Oracle Database SQL Compiler Views Unauthorized Manipulation. CVE-2007-3855. Local exploits for multiple platform
    id EDB-ID:30295
    last seen 2016-02-03
    modified 2007-07-12
    published 2007-07-12
    reporter bunker
    source https://www.exploit-db.com/download/30295/
    title Oracle Database SQL Compiler Views Unauthorized Manipulation
  • description Oracle 9i/10g evil views Change Passwords Exploit (CVE-2007-3855). CVE-2007-3855. Local exploits for multiple platform
    id EDB-ID:4203
    last seen 2016-01-31
    modified 2007-07-19
    published 2007-07-19
    reporter bunker
    source https://www.exploit-db.com/download/4203/
    title Oracle 9i/10g Evil Views - Change Passwords Exploit
nessus via4
NASL family Databases
NASL id ORACLE_RDBMS_CPU_JUL_2007.NASL
description The remote Oracle database server is missing the July 2007 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components : - Advanced Queuing - DataGuard - JavaVM - Oracle Data Mining - Oracle Text - PL/SQL - Rules Manager - Spatial - SQL Compiler
last seen 2019-02-21
modified 2018-11-15
plugin id 56057
published 2011-11-16
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=56057
title Oracle Database Multiple Vulnerabilities (July 2007 CPU)
packetstorm via4
data source https://packetstormsecurity.com/files/download/57886/bunkerview.txt
id PACKETSTORM:57886
last seen 2016-12-05
published 2007-07-20
reporter Andrea Purificato
source https://packetstormsecurity.com/files/57886/bunkerview.txt.html
title bunkerview.txt
refmap via4
bugtraq
  • 20070718 Oracle Security: Insert / Update / Delete Data via Views
  • 20070721 Oracle bad Views - Exploit released
cert TA07-200A
confirm http://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html
hp
  • HPSBMA02133
  • SSRT061201
misc
sectrack 1018415
secunia
  • 26114
  • 26166
sreason 2903
vupen
  • ADV-2007-2562
  • ADV-2007-2635
xf
  • oracle-cpu-july2007(35490)
  • oracle-unauth-view-access(35495)
Last major update 22-10-2012 - 22:31
Published 18-07-2007 - 15:30
Last modified 15-10-2018 - 17:31
Back to Top