cnvd - cnvd-2021-33860

cnvd-2021-33860

Vulnerability from cnvd

Title

Oracle Database Server输入验证错误漏洞（CNVD-2021-33860）

Description

Oracle Database Server是美国甲骨文（Oracle）公司的一套关系数据库管理系统。该数据库管理系统提供数据管理、分布式处理等功能。 Oracle Database Server 12.1.0.2, 12.2.0.1, 18c, 19c 存在输入验证错误漏洞，该漏洞源于Oracle数据库服务器在恢复过程中输入验证不正确。攻击者可利用此漏洞访问敏感信息。

Severity

中

Patch Name

Oracle Database Server输入验证错误漏洞（CNVD-2021-33860）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.oracle.com/security-alerts/cpuapr2021.html

Reference

https://www.oracle.com/security-alerts/cpuapr2021.html

Impacted products

Name
['Oracle Oracle Database Server 12.1.0.2', 'Oracle Oracle Database Server 12.2.0.1', 'Oracle Oracle Database Server 18c', 'Oracle Oracle Database Server 19c']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-2173",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-2173"
    }
  },
  "description": "Oracle Database Server\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u5173\u7cfb\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u63d0\u4f9b\u6570\u636e\u7ba1\u7406\u3001\u5206\u5e03\u5f0f\u5904\u7406\u7b49\u529f\u80fd\u3002\n\nOracle Database Server 12.1.0.2, 12.2.0.1, 18c, 19c \u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eOracle\u6570\u636e\u5e93\u670d\u52a1\u5668\u5728\u6062\u590d\u8fc7\u7a0b\u4e2d\u8f93\u5165\u9a8c\u8bc1\u4e0d\u6b63\u786e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuapr2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-33860",
  "openTime": "2021-05-11",
  "patchDescription": "Oracle Database Server\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u5173\u7cfb\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u63d0\u4f9b\u6570\u636e\u7ba1\u7406\u3001\u5206\u5e03\u5f0f\u5904\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nOracle Database Server 12.1.0.2, 12.2.0.1, 18c, 19c \u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eOracle\u6570\u636e\u5e93\u670d\u52a1\u5668\u5728\u6062\u590d\u8fc7\u7a0b\u4e2d\u8f93\u5165\u9a8c\u8bc1\u4e0d\u6b63\u786e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Database Server\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-33860\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle Oracle Database Server 12.1.0.2",
      "Oracle Oracle Database Server 12.2.0.1",
      "Oracle Oracle Database Server 18c",
      "Oracle Oracle Database Server 19c"
    ]
  },
  "referenceLink": "https://www.oracle.com/security-alerts/cpuapr2021.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-21",
  "title": "Oracle Database Server\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-33860\uff09"
}

CVE-2021-2173 (GCVE-0-2021-2173)

Vulnerability from cvelistv5

Published

2021-04-22 00:00

Modified

2024-09-26 18:12

Severity ?

4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CWE

Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible data.

Summary

Vulnerability in the Recovery component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).

References

URL

Tags

	https://www.oracle.com/security-alerts/cpuapr2021.html
	https://github.com/emad-almousa/CVE-2021-2173
	http://packetstormsecurity.com/files/171344/Oracle-DB-Broken-PDB-Isolation-Metadata-Exposure.html