Oracle Database Data Pump Metadata API DBMS_METADATA Unspecified Procedure SQL Injection

2006-01-17T04:32:39
ID OSVDB:22643
Type osvdb
Reporter OSVDB
Modified 2006-01-17T04:32:39

Description

Vulnerability Description

Oracle Database Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DBMS_METADATA package not properly sanitizing user-supplied input to unspecified procedures. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Jan2006 Critical Patch Update) to address this vulnerability.

Short Description

Oracle Database Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DBMS_METADATA package not properly sanitizing user-supplied input to unspecified procedures. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:18493 Secunia Advisory ID:18608 Related OSVDB ID: 22637 Related OSVDB ID: 22543 News Article: http://news.com.com/Oracle+fixes+pile+of+bugs/2100-1002_3-6027847.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0420.html Keyword: Document ID: c00593668 Keyword: HPSBMA02094 Keyword: SSRT061104 Keyword: DB05 FrSIRT Advisory: ADV-2006-0243 FrSIRT Advisory: ADV-2006-0323 CVE-2006-0260 CERT VU: 545804 Bugtraq ID: 16287