5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.045 Low
EPSS
Percentile
92.5%
Oracle Reports fails to validate URI parameters, possibly allowing a remote attacker to read arbitrary files on the Reports Server.
Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and inserts it into a formatted report. It is a component of Oracle Application Server and the Oracle Developer Suite. Oracle Reports are accessible over a network via a URI. Improper validation on the desformat
URI parameter may allow a remote attacker to read arbitrary files on the Oracle Reports Server.
Based on research into public information, we believe that this issue is Oracle vuln# REP05 in the Oracle CPU for January 2006. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.
A remote attacker may be able to read files on the server by sending a specially crafted URI to Oracle Reports.
Apply patches
This issue is corrected in the Oracle Critical Patch Update for January 2006.
Restrict Access to Reports Server
Allowing only trusted users access to Oracle Reports may reduce the chances of exploitation.
925261
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: January 19, 2006
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see:
<http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html>
and
<http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23925261 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This document is based on information provided by Alexander Kornbrust.
This document was written by Jeff Gennari.
CVE IDs: | CVE-2005-2378 |
---|---|
Severity Metric: | 4.25 Date Public: |