DB: Oracle Database Server Create View
This signature detects attempts to exploit a known vulnerability against Oracle Database Server. Attackers can use this vulnerability to perform privilege escalation.
Extended Description
Oracle Database is susceptible to a vulnerability that allows attackers to bypass access restrictions. This issue is due to a failure of the application to properly enforce read-only privileges for user roles in certain circumstances. To exploit this issue, a user must have 'CREATE VIEW' and 'CREATE DATABASE LINK' privileges. Also, the base table must have a primary key. This issue allows attackers to modify data stored in affected databases, even if they are granted just read-only access. This may allow them to gain elevated privileges in the database. Oracle versions 9.2.0.0 through 10.2.0.3 are affected by this issue. This issue was originally disclosed by the vendor via Metalink, under the title "363848.1 - A User with SELECT Object Privilege on Base Tables Can Delete Rows from a View". This article has reportedly been removed since its initial disclosure.
Affected Products
Oracle oracle10g_standard_edition
Short Name
DB:ORACLE:CREATE-VIEW
Severity
Minor
Recommended
False
Recommended Action
None
Category
DB
Keywords
CVE-2006-1705 Create Database Oracle Server View bid:17426
Release Date
09/02/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Occasionally
Vendors
Oracle
CVSS Score
2.1