Short Name |
DB:ORACLE:DBMS-CDC-PUBLISH-INJ |
---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
DB |
Keywords |
Oracle Database Server DBMS_CDC_PUBLISH SQL Injection |
Release Date |
2010/10/11 |
Update Number |
1789 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
Oracle Database Server contains an SQL injection vulnerability. The vulnerability is due to input validation errors in the DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE procedures of the DBMS_CDC_PUBLISH package. Remote authenticated attackers with EXECUTE permission on the SYS.DBMS_CDC_PUBLISH package can exploit this vulnerability by sending a specially crafted parameter to the affected procedures. Successful exploitation would result in disclosure of information, and modification or manipulation of the data in the underlying database.
Oracle Database is prone to a remote SQL-injection vulnerability in the 'Change Data Capture' component. The vulnerability can be exploited over the 'Oracle Net' protocol. For an exploit to succeed, the attacker must have 'Execute on SYS.DBMS_CDC_PUBLISH' privileges. This vulnerability affects the following supported versions: 9.2.0.8, 9.2.0.8DV