Lucene search

[email protected]CVE-2007-2108

HistoryApr 18, 2007 - 6:19 p.m.

CVE-2007-2108

2007-04-1818:19:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2007-2108

oracle database

core rdbms

vulnerability

remote attackers

ntlm sspi

windows

6.4 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.44 Medium

EPSS

Percentile

97.4%

JSON

Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 on Windows allows remote attackers to have an unknown impact, aka DB01. NOTE: as of 20070424, Oracle has not disputed reliable claims that this issue occurs because the NTLM SSPI AcceptSecurityContext function grants privileges based on the username provided even though all users are authenticated as Guest, which allows remote attackers to gain privileges.

Affected configurations

NVD

Node

microsoftwindows

AND

oracledatabase_serverMatch9.0.1.5

oracledatabase_serverMatch9.2.0.8

oracledatabase_serverMatch10.1.0.5

oracledatabase_serverMatch10.2.0.2

CPENameOperatorVersion
microsoft:windowsmicrosoft windowseq*
oracle:database_serveroracle database servereq9.0.1.5
oracle:database_serveroracle database servereq9.2.0.8
oracle:database_serveroracle database servereq10.1.0.5
oracle:database_serveroracle database servereq10.2.0.2

CPE	Name	Operator	Version
microsoft:windows	microsoft windows	eq	*
oracle:database_server	oracle database server	eq	9.0.1.5
oracle:database_server	oracle database server	eq	9.2.0.8
oracle:database_server	oracle database server	eq	10.1.0.5
oracle:database_server	oracle database server	eq	10.2.0.2

References

www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_April_2007_Analysis.pdf

www.kb.cert.org/vuls/id/809457

www.ngssoftware.com/papers/database-on-xp.pdf

www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf

www.oracle.com/technetwork/topics/security/cpuapr2007-090632.html

www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

www.securityfocus.com/archive/1/466329/100/200/threaded

www.securityfocus.com/bid/23532

www.securitytracker.com/id?1017927

www.us-cert.gov/cas/techalerts/TA07-108A.html

www.vupen.com/english/advisories/2007/1426

6.4 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.44 Medium

EPSS

Percentile

97.4%

JSON

Related for CVE-2007-2108

cvelist1 prion1 nvd1 nessus1