Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2020 Recx Ltd.ORACLE_APEX_PRE301.NASL
HistoryFeb 20, 2013 - 12:00 a.m.

Oracle Application Express (Apex) Unspecified Issues (pre 3.0.1)

2013-02-2000:00:00
This script is Copyright (C) 2013-2020 Recx Ltd.
www.tenable.com
17

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.1%

JSON

There are unspecified vulnerabilities in versions prior to version 3.0.1 of the Oracle Application Express component of the Oracle Database.

# ---------------------------------------------------------------------------------
# (c) Recx Ltd 2009-2012
# http://www.recx.co.uk/
#
# Detection script for multiple issues within Oracle Application Express
#
# < 3.0.1
# 1 new security fix for Oracle Application Express (formerly called HTML DB)
# The Oracle Application Express security vulnerability listed in the risk matrix above is fixed in version 3.0. All previous versions should be upgraded directly to version 3.0.
# https://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html
#
# Version 1.0
# ---------------------------------------------------------------------------------

include("compat.inc");

if (description)
{
  script_id(64715);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2007-3860");

  script_name(english:"Oracle Application Express (Apex) Unspecified Issues (pre 3.0.1)");
  script_summary(english:"Checks if the Apex version is less than 3.0.1");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a vulnerable version of Oracle Apex.");
  script_set_attribute(attribute:"description", value:
"There are unspecified vulnerabilities in versions prior to version
3.0.1 of the Oracle Application Express component of the Oracle
Database.");
  script_set_attribute(attribute:"see_also", value:"http://www.oracle.com/technetwork/developer-tools/apex/index.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade Application Express to at least version 3.0.1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_express");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2013-2020 Recx Ltd.");

  script_dependencies("oracle_apex_detect_version.nasl");
  script_require_keys("Oracle/Apex");
  script_require_ports("Services/www", 8080, 80, 443);

  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

function raise_finding(port, report)
{
  if(report_verbosity > 0)
    security_hole(port:port, extra:report);
  else security_hole(port);
}

port = get_http_port(default:8080, embedded:TRUE);

if (!get_port_state(port)) exit(0, "Port " + port + " is not open.");

version = get_kb_item("Oracle/Apex/"+port+"/Version");
if(!version) exit(0, "The 'Oracle/Apex/" + port + "/Version' KB item is not set.");

location = get_kb_item("Oracle/Apex/" + port + "/Location");
if(!location) exit(0, "The 'Oracle/Apex/" + port + "/Location' KB item is not set.");
url = build_url(qs:location, port:port);

if (version == "^[0-2]\." || version == "3.0" )
{
  report = '\n  URL               : ' + url +
           '\n  Installed version : ' + version +
           '\n  Fixed version     : 3.0.1' + '\n';
  raise_finding(port:port, report:report);
  exit(0);
}

exit(0, "The Oracle Apex install at " + url + " is version " + version + " and is not affected.");
VendorProductVersionCPE
oracleapplication_expresscpe:/a:oracle:application_express

Related

cvelist 1
cve 1
nvd 1
prion 1
cvelist
cvelist
CVE-2007-3860
2007-07-18 19:00:00
cve
cve
CVE-2007-3860
2007-07-18 19:30:00
nvd
nvd
CVE-2007-3860
2007-07-18 19:30:00
prion
prion
Sql injection
2007-07-18 19:30:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.1%

JSON
Related for ORACLE_APEX_PRE301.NASL
cvelist1cve1nvd1prion1