CVE-2008-1813 - Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5,

CVE-2008-1813

Summary

Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have unknown impact and remote unauthenticated or authenticated attack vectors related to (1) SYS.DBMS_AQ in the Advanced Queuing component, aka DB01; (2) Core RDBMS, aka DB03; (3) SDO_GEOM in Oracle Spatial, aka DB06; (4) Export, aka DB12; and (5) DBMS_STATS in Query Optimizer, aka DB13. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB06 is SQL injection, and DB13 occurs when the OUTLN account is reset to use a hard-coded password.

References

Vulnerable Configurations

cpe:2.3:a:oracle:database_9i:9.0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_9i:9.0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_9i:9.2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_9i:9.2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_9i:9.2.0.8dv:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_9i:9.2.0.8dv:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:9.0.1.5:*:fips:*:*:*:*:*
cpe:2.3:a:oracle:database_server:9.0.1.5:*:fips:*:*:*:*:*
cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:10.2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:10.2.0.3:*:*:*:*:*:*:*

CVSS

Base:	6.5 (as of 11-10-2018 - 20:37)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:P/A:P

refmap via4

bugtraq	20080416 Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13] 20080416 Oracle - SQL Injection in package SDO_GEOM [DB06]
confirm	http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html
hp	HPSBMA02133 SSRT061201
misc	http://www.red-database-security.com/advisory/oracle_outln_password_change.html http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html
sectrack	1019855
secunia	29829 29874
vupen	ADV-2008-1233 ADV-2008-1267
xf	oracle-cpu-april-2008(41858) oracle-database-corerdbms-unspecified(41992) oracle-database-dbmsaq-unspecified(41991) oracle-database-export-info-disclosure(41994) oracle-database-queryop-default-password(41995) oracle-database-sdogeom-sql-injection(41993)

Last major update

11-10-2018 - 20:37

Published

16-04-2008 - 10:05

Last modified

11-10-2018 - 20:37