Vulners
Lucene search
APEX Password Hash Disclosure
🗓️ 16 Apr 2009 00:00:00Reported by Alexander KornbrustType 
packetstorm🔗 packetstormsecurity.com👁 46 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes | 16 Apr 200900:00 | – | zdt |
 | CVE-2009-0981 | 16 Apr 200900:00 | – | circl |
 | Oracle Database Application Express Component APEX Password Hash Disclosure (CVE-2009-0981) | 9 Aug 201000:00 | – | checkpoint_advisories |
 | CVE-2009-0981 | 15 Apr 200910:00 | – | cve |
 | CVE-2009-0981 | 15 Apr 200910:00 | – | cvelist |
 | Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes | 16 Apr 200900:00 | – | exploitdb |
 | Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes | 16 Apr 200900:00 | – | exploitpack |
 | CVE-2009-0981 | 15 Apr 200910:30 | – | nvd |
 | cpuapr2009.html | 14 Apr 200900:00 | – | oracle |
 | Oracle Application Express (Apex) CVE-2009-0981 | 20 Feb 201300:00 | – | nessus |
10
`Name Unprivileged DB users can see APEX password hashes
Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation)
Severity High Risk
Category Password Disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2009-0981
Advisory 14 April 2009 (V 1.00)
Details:
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.
SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS
USER_NAME WEB_PASSWORD2
----------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31
This password hash can be checked using a tool like Repscan.
Additional information is available in the following advisory.
Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html
Patch Information:
Upgrade to Oracle APEX 3.2.
Verification:
Our Oracle database scanner Repscan was updated with the information from the Oracle
CPU April 2009 and can identify vulnerable databases.
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan
History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published
About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the last
6 years we reported several hundred vulnerabilities to Oracle.
--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Apr 2009 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.32845