ID CVE-2006-3698
Summary Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB01 for Change Data Capture (CDC) component and (2) DB03 for Data Pump Metadata API. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB01 is related to multiple SQL injection vulnerabilities in SYS.DBMS_CDC_IMPDP using the (a) IMPORT_CHANGE_SET, (b) IMPORT_CHANGE_TABLE, (c) IMPORT_CHANGE_COLUMN, (d) IMPORT_SUBSCRIBER, (e) IMPORT_SUBSCRIBED_TABLE, (f) IMPORT_SUBSCRIBED_COLUMN, (g) VALIDATE_IMPORT, (h) VALIDATE_CHANGE_SET, (i) VALIDATE_CHANGE_TABLE, and (j) VALIDATE_SUBSCRIPTION procedures, and that DB03 is for SQL injection in the MAIN procedure for SYS.KUPW$WORKER.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 18-10-2018 - 16:48)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
refmap via4
bid 19054
bugtraq
  • 20060718 Oracle Database - SQL Injection in SYS.DBMS_CDC_IMPDP [DB01]
  • 20060718 Oracle Database - SQL Injection in SYS.KUPW$WORKER [DB03]
cert TA06-200A
confirm http://www.oracle.com/technetwork/topics/security/cpujul2006-101315.html
fulldisc 20060718 Oracle Database - SQL Injection in SYS.KUPW$WORKER [DB03]
hp
  • HPSBMA02133
  • SSRT061201
misc
sectrack 1016529
secunia
  • 21111
  • 21165
vupen
  • ADV-2006-2863
  • ADV-2006-2947
xf
  • oracle-cpu-july-2006(27897)
  • oracle-dbmscdcimpdp-sql-injection(27889)
  • oracle-kupwworker-sql-injection(27888)
Last major update 18-10-2018 - 16:48
Published 21-07-2006 - 14:03
Last modified 18-10-2018 - 16:48
Back to Top