ID CVE-2006-5338Type cveReporter cve@mitre.orgModified 2018-10-17T21:42:00
Description
Unspecified vulnerability in the Core RDBMS component in Oracle Database 10.1.0.5 has unknown impact and remote authenticated attack vectors related to sys.dbms_sqltune, aka Vuln# DB10. NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB10 is for SQL injection in DROP_SQLSET, DELETE_SQLSET, SELECT_SQLSET, and I_SET_TUNING_PARAMETER. NOTE: some of these vectors might be in DBMS_SQLTUNE_INTERNAL.
{"id": "CVE-2006-5338", "bulletinFamily": "NVD", "title": "CVE-2006-5338", "description": "Unspecified vulnerability in the Core RDBMS component in Oracle Database 10.1.0.5 has unknown impact and remote authenticated attack vectors related to sys.dbms_sqltune, aka Vuln# DB10. NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB10 is for SQL injection in DROP_SQLSET, DELETE_SQLSET, SELECT_SQLSET, and I_SET_TUNING_PARAMETER. NOTE: some of these vectors might be in DBMS_SQLTUNE_INTERNAL.", "published": "2006-10-18T01:07:00", "modified": "2018-10-17T21:42:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5338", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/archive/1/449711/100/0/threaded", "http://www.us-cert.gov/cas/techalerts/TA06-291A.html", "http://www.vupen.com/english/advisories/2006/4065", "http://securitytracker.com/id?1017077", "http://www.securityfocus.com/archive/1/449110/100/0/threaded", "http://www.oracle.com/technetwork/topics/security/cpuoct2006-095368.html", "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_sqltune_internal.html", "http://www.securityfocus.com/bid/20588", "http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html", "http://www.securityfocus.com/archive/1/449509/100/0/threaded", "http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf", "http://secunia.com/advisories/22396"], "cvelist": ["CVE-2006-5338"], "type": "cve", "lastseen": "2019-05-29T18:08:34", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "67d2b4ca5c535c00af2f3b64269bd3a6"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "543a2996ce77dde011ca5b0c24dcabed"}, {"key": "cpe23", "hash": "739e0a24b6e8f7c3f8914d90a1354733"}, {"key": "cvelist", "hash": "79873fbfdf23b50ba15c4830465d6418"}, {"key": "cvss", "hash": "62e86bb7716385cd46817416916a7bbd"}, {"key": "cvss2", "hash": "a6674711d5258b061e81bdf1502ce727"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "d370d473ba1bd1721d669ef98e2aeebb"}, {"key": "description", "hash": "ca47e457136635d136d6402ad6cc39cb"}, {"key": "href", "hash": "fd5a001704ecb4d13490b6c426dffeec"}, {"key": "modified", "hash": "7c5b0816ab4ae0609164857583a5ebb3"}, {"key": "published", "hash": "053caa9a4919d820c83b8dd47121b2dc"}, {"key": "references", "hash": "ba19ea8818839c45b28622e596584978"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "af94b0dd3e0c4918e1c4f3f637938413"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "c5bd3b465134055b97e76ef8acac2f827445617a765c637bea96bc436cc8b555", "viewCount": 0, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2019-05-29T18:08:34"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:31451"]}, {"type": "nessus", "idList": ["ORACLE_RDBMS_CPU_OCT_2006.NASL"]}], "modified": "2019-05-29T18:08:34"}, "vulnersScore": 7.8}, "objectVersion": "1.3", "cpe": ["cpe:/a:oracle:database_server:10.1.0.5", "cpe:/a:oracle:database_server:10.2.0.0"], "affectedSoftware": [{"name": "oracle database_server", "operator": "eq", "version": "10.2.0.0"}, {"name": "oracle database_server", "operator": "eq", "version": "10.1.0.5"}], "cvss2": {"acInsufInfo": true, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:10.2.0.0:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"]}
{"osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html)\nSecurity Tracker: 1017077\n[Secunia Advisory ID:22396](https://secuniaresearch.flexerasoftware.com/advisories/22396/)\n[Related OSVDB ID: 31383](https://vulners.com/osvdb/OSVDB:31383)\n[Related OSVDB ID: 31384](https://vulners.com/osvdb/OSVDB:31384)\n[Related OSVDB ID: 31393](https://vulners.com/osvdb/OSVDB:31393)\n[Related OSVDB ID: 31399](https://vulners.com/osvdb/OSVDB:31399)\n[Related OSVDB ID: 31414](https://vulners.com/osvdb/OSVDB:31414)\n[Related OSVDB ID: 31407](https://vulners.com/osvdb/OSVDB:31407)\n[Related OSVDB ID: 31500](https://vulners.com/osvdb/OSVDB:31500)\nOther Advisory URL: http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf\nNews Article: http://news.com.com/Oracle+plugs+101+security+flaws/2100-1002_3-6126864.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0360.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0388.html\nKeyword: DB10\nFrSIRT Advisory: ADV-2006-4065\n[CVE-2006-5338](https://vulners.com/cve/CVE-2006-5338)\nBugtraq ID: 20588\n", "modified": "2006-10-18T06:18:53", "published": "2006-10-18T06:18:53", "href": "https://vulners.com/osvdb/OSVDB:31451", "id": "OSVDB:31451", "title": "Oracle Database Core RDBMS DBMS_SQLTUNE_INTERNAL Multiple Variable SQL Injection", "type": "osvdb", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:15:20", "bulletinFamily": "scanner", "description": "The remote Oracle database server is missing the October 2006 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components :\n\n - Change Data Capture (CDC)\n\n - Core RDBMS\n\n - Database Scheduler\n\n - Oracle Spatial\n\n - XMLDB", "modified": "2018-11-15T00:00:00", "id": "ORACLE_RDBMS_CPU_OCT_2006.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=56054", "published": "2011-11-16T00:00:00", "title": "Oracle Database Multiple Vulnerabilities (October 2006 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (!defined_func(\"nasl_level\") || nasl_level() < 5000) exit(0, \"Nessus older than 5.x\");\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56054);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\n \"CVE-2006-5332\",\n \"CVE-2006-5333\",\n \"CVE-2006-5334\",\n \"CVE-2006-5335\",\n \"CVE-2006-5336\",\n \"CVE-2006-5337\",\n \"CVE-2006-5338\",\n \"CVE-2006-5339\",\n \"CVE-2006-5340\",\n \"CVE-2006-5341\",\n \"CVE-2006-5342\",\n \"CVE-2006-5343\",\n \"CVE-2006-5344\",\n \"CVE-2006-5345\"\n );\n script_bugtraq_id(20588);\n\n script_name(english:\"Oracle Database Multiple Vulnerabilities (October 2006 CPU)\");\n script_summary(english:\"Checks installed patch info\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle database server is missing the October 2006\nCritical Patch Update (CPU) and therefore is potentially affected by\nsecurity issues in the following components :\n\n - Change Data Capture (CDC)\n\n - Core RDBMS\n\n - Database Scheduler\n\n - Oracle Spatial\n\n - XMLDB\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?861d82ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2006 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-486\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:database_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_rdbms_query_patch_info.nbin\", \"oracle_rdbms_patch_info.nbin\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"oracle_rdbms_cpu_func.inc\");\ninclude(\"misc_func.inc\");\n\n################################################################################\n# OCT2006\npatches = make_nested_array();\n\n# RDBMS 10.1.0.4\npatches[\"10.1.0.4\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.4.7\", \"CPU\", \"5490844\");\npatches[\"10.1.0.4\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.1.0.4.15\", \"CPU\", \"5500878\");\n# RDBMS 10.1.0.5\npatches[\"10.1.0.5\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.5.4\", \"CPU\", \"5490845\");\npatches[\"10.1.0.5\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.1.0.5.8\", \"CPU\", \"5500883\");\n# RDBMS 10.2.0.2\npatches[\"10.2.0.2\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.2.0.2.3\", \"CPU\", \"5490848\");\npatches[\"10.2.0.2\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.2.0.2.5\", \"CPU\", \"5502226\");\npatches[\"10.2.0.2\"][\"db\"][\"win64\"] = make_array(\"patch_level\", \"10.2.0.2.5\", \"CPU\", \"5500921\");\n# RDBMS 10.2.0.1\npatches[\"10.2.0.1\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.2.0.1.4\", \"CPU\", \"5490846\");\npatches[\"10.2.0.1\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.2.0.1.8\", \"CPU\", \"5500927\");\npatches[\"10.2.0.1\"][\"db\"][\"win64\"] = make_array(\"patch_level\", \"10.2.0.1.8\", \"CPU\", \"5500954\");\n# RDBMS 10.1.0.3\npatches[\"10.1.0.3\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.3.8\", \"CPU\", \"5566825\");\n\ncheck_oracle_database(patches:patches, high_risk:TRUE);\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
