DB: Oracle Database Server DBMS_CDC_PUBLISH SQL Injection
Oracle Database Server contains an SQL injection vulnerability. The vulnerability is due to input validation errors in the DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE procedures of the DBMS_CDC_PUBLISH package. Remote authenticated attackers with EXECUTE permission on the SYS.DBMS_CDC_PUBLISH package can exploit this vulnerability by sending a specially crafted parameter to the affected procedures. Successful exploitation would result in disclosure of information, and modification or manipulation of the data in the underlying database.
Extended Description
Oracle Database is prone to a remote SQL-injection vulnerability in the 'Change Data Capture' component. The vulnerability can be exploited over the 'Oracle Net' protocol. For an exploit to succeed, the attacker must have 'Execute on SYS.DBMS_CDC_PUBLISH' privileges. This vulnerability affects the following supported versions: 9.2.0.8, 9.2.0.8DV
Affected Products
Oracle oracle9i_enterprise_edition
Short Name
DB:ORACLE:DBMS-CDC-PUBLISH-INJ
Severity
Major
Recommended
False
Recommended Action
Drop
Category
DB
Keywords
CVE-2010-0870 DBMS_CDC_PUBLISH Database Injection Oracle SQL Server bid:39422
Release Date
10/11/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Oracle
CVSS Score
3.6