ID CVE-2009-0981
Summary Unspecified vulnerability in the Application Express component in Oracle Database 11.1.0.7 allows remote authenticated users to affect confidentiality, related to APEX. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue allows remote authenticated users to obtain APEX password hashes from the WWV_FLOW_USERS table via a SELECT statement.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:database_11g:11.1.0.7
    cpe:2.3:a:oracle:database_11g:11.1.0.7
CVSS
Base: 4.0 (as of 15-04-2009 - 12:12)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
description Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes. CVE-2009-0981. Local exploits for multiple platform
file exploits/multiple/local/8456.txt
id EDB-ID:8456
last seen 2016-02-01
modified 2009-04-16
platform multiple
port
published 2009-04-16
reporter Alexander Kornbrust
source https://www.exploit-db.com/download/8456/
title Oracle APEX 3.2 - Unprivileged DB users can see APEX password hashes
type local
nessus via4
  • NASL family Web Servers
    NASL id ORACLE_APEX_CVE-2009-0981.NASL
    description Unprivileged database users can see Oracle Apex password hashes in FLOWS_030000.WWV_FLOW_USER.
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 64708
    published 2013-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64708
    title Oracle Application Express (Apex) CVE-2009-0981
  • NASL family Databases
    NASL id ORACLE_RDBMS_CPU_APR_2009.NASL
    description The remote Oracle database server is missing the April 2009 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components : - Advanced Queuing - Application Express - Cluster Ready Services - Core RDBMS - Database Vault - Listener - Password Policy - Resource Manager - SQLX Functions - Workspace Manager
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 56064
    published 2011-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56064
    title Oracle Database Multiple Vulnerabilities (April 2009 CPU)
packetstorm via4
data source https://packetstormsecurity.com/files/download/76731/apex-disclose.txt
id PACKETSTORM:76731
last seen 2016-12-05
published 2009-04-16
reporter Alexander Kornbrust
source https://packetstormsecurity.com/files/76731/APEX-Password-Hash-Disclosure.html
title APEX Password Hash Disclosure
refmap via4
bid 34461
bugtraq 20090416 Unprivileged DB users can see APEX password hashes
cert TA09-105A
confirm http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
exploit-db 8456
misc http://www.red-database-security.com/advisory/apex_password_hashes.html
osvdb 53738
sectrack 1022052
secunia 34693
Last major update 22-10-2012 - 23:04
Published 15-04-2009 - 06:30
Last modified 10-10-2018 - 15:32
Back to Top