DB: Oracle CREATE_TABLES SQL Injection

This signature detects attempts to exploit a known vulnerability against Oracle Database versions 9i Release 2 9.2.0.8DV, 9i Release 2 9.2.0.8, 10g 10.1.0.5; and 10g Release 2 10.2.0.4, and the CTXSYS.DRVXTABC.CREATE_TABLES function. A successful attack can lead to arbitrary SQL command execution.

Extended Description

Oracle Database is prone to an SQL-injection vulnerability in Oracle Text. The vulnerability can be exploited over the 'Oracle Net' protocol. For an exploit to succeed, the attacker must have 'Execute on CTXSYS.DRVXTABC' privileges. Exploiting this issue could allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This vulnerability affects the following supported versions: 9.2.0.8 9.2.0.8DV 10.1.0.5 10.2.0.4

Affected Products

Oracle oracle10g_personal_edition

Short Name
DB:ORACLE:CREATE_TABLES-INJ
Severity
Major
Recommended
False
Recommended Action
Drop
Category
DB
Keywords
CREATE_TABLES CVE-2009-1991 Injection Oracle SQL bid:36748
Release Date
11/11/2009
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3375
False Positive
Unknown
Vendors

Oracle

CVSS Score

3.6

Found a potential security threat?