Oracle Database - SQL Injection in SYS.DBMS_UPGRADE [DB22]

Type securityvulns
Reporter Securityvulns
Modified 2006-07-24T00:00:00


Name SQL Injection in package SYS.DBMS_UPGRADE (6980717) [DB22] Systems Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL Author Alexander Kornbrust (ak at Advisory 18 Jul 2006 (V 1.00)



The package SYS.DBMS_UPGRADE contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function.

Patch Information

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.


01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB22] 18-jul-2006 Advisory published

Additional Information

An analysis of the Oracle CPU July 2006 is available here

This document will be updated during the next few days and weeks with the latest information.