Lucene search
RootSSV:20201HistoryOct 26, 2010 - 12:00 a.m.
Oracle数据库CREATE_CHANGE_SET过程SQL注入漏洞
2010-10-2600:00:00
Root
www.seebug.org
20
0.086 Low
EPSS
Percentile
93.8%
BUGTRAQ ID: 43956
CVE ID: CVE-2010-2415
Oracle是大型的商业数据库系统。
Oracle数据库的Change Data Capture组件中提供了一个DBMS_CDC_PUBLISH PL/SQL软件包,该软件包的CREATE_CHANGE_SET过程中存在SQL注入漏洞。恶意用户可以以特殊参数调用有漏洞的过程,导致以SYS用户的权限执行SQL语句。
利用这个漏洞要求拥有对SYS.DBMS_CDC_PUBLISH软件包的EXECUTE权限。默认下给予了EXECUTE_CATALOG_ROLE角色的用户拥有这个权限。
Oracle Database 11.2.0.1
Oracle Database 11.1.0.7
Oracle Database 10.2.0.4
Oracle Database 10.2.0.3
Oracle Database 10.1.0.5
厂商补丁:
Oracle
Oracle已经为此发布了一个安全公告(cpuoct2010)以及相应补丁:
cpuoct2010:Oracle Critical Patch Update Advisory - October 2010
链接:http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Related
prion
prion
Design/Logic Flaw
2010-10-14 02:00:00
cve
cve
CVE-2010-2415
2010-10-14 02:00:00
nessus
nessus
Oracle Database Multiple Vulnerabilities (October 2010 CPU)
2010-11-18 00:00:00
securityvulns
securityvulns
Oracle Critical Patch Update Advisory - October 2010
2010-10-13 00:00:00
Oracle / Sun / Peoplesoft applications multiple security vulnerabilities
2011-07-18 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2010
2010-10-12 00:00:00