CVE-2014-6577

2015-01-2115:28:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

cve-2014-6577

unspecified vulnerability

xml developer's kit

oracle database server

remote authenticated users

confidentiality

xxe vulnerability

xml parser

internal port scanning

ssrf attacks

denial of service

january 2015 cpu

nvd

5.7 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:N/A:N

0.004 Low

EPSS

Percentile

72.5%

JSON

Unspecified vulnerability in the XML Developer’s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher’s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

CPENameOperatorVersion
oracle:database_serveroracle database servereq12.1.0.2
oracle:database_serveroracle database servereq11.2.0.4
oracle:database_serveroracle database servereq11.2.0.3
oracle:database_serveroracle database servereq12.1.0.1

CPE	Name	Operator	Version
oracle:database_server	oracle database server	eq	12.1.0.2
oracle:database_server	oracle database server	eq	11.2.0.4
oracle:database_server	oracle database server	eq	11.2.0.3
oracle:database_server	oracle database server	eq	12.1.0.1