SAINT CorporationSAINT:893F9CEA6796DC8FD10CF4F3637FDBDBOracle Warehouse Builder SQL Injection
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
74.8%
Added: 08/01/2011
CVE: CVE-2011-0799
BID: 47431
OSVDB: 71956
Background
Oracle Warehouse Builder (OWB) is an ETL tool produced by Oracle that offers a graphical environment to build, manage and maintain data integration processes in business intelligence systems.
Problem
A SQL injection vulnerability exists in Oracle Warehouse Builder versions 10.2.0.5, 11.1.0.7, 11.2.0.1 and prior. An authenticated user with the CONNECT privilege may leverage this vulnerability to remotely compromise the server.
Resolution
Apply the April 2011 Oracle Critical Patch Update.
References
<http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html>
Limitations
This exploit has been tested against Oracle Business Intelligence Standard Edition One 10.1.3.2.1 on Windows Server 2003 SP2 (DEP OptOut). The exploit requires the login and password to an Oracle account with connect privileges. This exploit must bind to TCP port 80, so it needs root privileges to execute and no other process can be binding to port 80.
Platforms
Windows
Related
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
74.8%