The Oracle ENABLE_HIERARCHY_INTERNAL procedure is vulnerable to PL/SQL injection. This vulnerability may allow a remote, authenticated attacker to execute arbitrary PL/SQL commands on a vulnerable Oracle installation.
The Oracle ENABLE_HIERARCHY_INTERNAL procedure fails to properly sanitize user input. This may allow a remote attacker to insert arbitrary SQL commands that may be executed by the database. Note that an attacker must have execute privileges on XDB.DBMS_XDBZ package to exploit this vulnerability.
Based on research into public information, we believe that this issue is Oracle vuln# DB01 in the October 2006 Oracle CPU. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.
A remote attacker may be able to execute PL/SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of an Oracle database.
Apply patches****
This issue is addressed in the Oracle Critical Patch Update for October 2006.
717140
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: October 17, 2006 Updated: October 19, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Refer to <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23717140 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported in the Oracle Critical Patch Update for October 2006.
This document was written by Jeff Gennari based on information from Oracle, Alexander Kornbrust of Red-Database-Security GmbH, and David Litchfield of NGSSoftware.
CVE IDs: | CVE-2006-5332 |
---|---|
Severity Metric: | 4.97 Date Public: |
secunia.com/advisories/22396/
www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf
www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html