Lucene search

K
erpscanERPScanERPSCAN-11-020
HistoryApr 20, 2009 - 12:00 a.m.

Oracle BI — WB_OLAP_AW_SET_SOLVE_ID - privilege escalation

2009-04-2000:00:00
erpscan.io
25

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

74.8%

Application: Oracle BI **Versions Affected:**Oracle BI (Oracle Warehouse Builder) 10.2.0.5, 11.1.0.7 Vendor URL: http://oracle.com **Bugs:**PL/SQL Injection, privilege escalation **Exploits:**YES **Reported:**20.04.2009 **Vendor response:**22.04.2009 **Last response:**12.04.2011 **Date of Public Advisory:**24.05.2011 **CVE:**CVE-2011-0792 Author: Alexandr Polyakov

Description
PL/SQL Injection vulnerability found in procedure OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID. Exploiting vulnerability in this procedure can give any user OWBREPOS_OWNER rights and then access to OS.

Business Risk
Legal database user can escalate privileges and gain unauthorized access to business-critical data stored in database and also gain a full access to operation system.

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

74.8%