Lucene search

[email protected]CVE-2008-6065

HistoryFeb 05, 2009 - 2:30 a.m.

CVE-2008-6065

2009-02-0502:30:00

CWE-264

[email protected]

web.nvd.nist.gov

oracle database server

cve-2008-6065

security vulnerability

remote attack

sysdba privileges

6.9 Medium

AI Score

Confidence

Low

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.043 Low

EPSS

Percentile

92.3%

JSON

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.

CPENameOperatorVersion
oracle:database_serveroracle database servereq10.2
oracle:database_serveroracle database servereq10.1
oracle:database_serveroracle database servereq11

CPE	Name	Operator	Version
oracle:database_server	oracle database server	eq	10.2
oracle:database_server	oracle database server	eq	10.1
oracle:database_server	oracle database server	eq	11

References

www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

www.oracleforensics.com/wordpress/wp-content/uploads/2008/10/create-any-directory-to-sysdba.pdf

www.securityfocus.com/archive/1/497286/100/0/threaded

www.securityfocus.com/bid/31738

exchange.xforce.ibmcloud.com/vulnerabilities/48814

6.9 Medium

AI Score

Confidence

Low

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.043 Low

EPSS

Percentile

92.3%

JSON

Related for CVE-2008-6065

prion1 cvelist2 cve1