|
Oracle multiple security vulnerabilities
updated since 19.07.2007 | | Published: |  | 24.07.2007 | | Source: |  | BUGTRAQ | | SecurityVulns ID: |  | 7942 | | Type: |  | remote | | Level: |  | 7/10 | | Description: |  | DBMS_DRS.GET_PROPERTY and MDSYS.MD buffer overflow, crossite scripting, privilege escalation with views. |
| Affected: |  | ORACLE : Oracle 9i | | | | ORACLE : Oracle 8i | | | | ORACLE : Oracle 10g | | CVE: |  | CVE-2007-3867 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 have unknown impact and attack vectors, related to (1) APPS04, (2) APPS05, and (3) APPS06 in (a) Oracle Application Object Library, (4) APPS07 in Oracle Customer Intelligence, (5) APPS08 in Oracle Payments, (7) APPS10 in Oracle Human Resources, and (8) APPS11 in iRecruitment.) | | | | CVE-2007-3866 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 and 12.0.1 allow remote attackers to have an unknown impact via (a) Oracle Configurator (APPS02), (b) Oracle iExpenses (APPS03), (c) Oracle Application Object Library (APPS09), and (1) APPS12, (2) APPS13, and (3) APPS14 in (d) Oracle Payables.) | | | | CVE-2007-3865 (Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 12.0.1 has unknown impact and remote attack vectors, aka APPS01.) | | | | CVE-2007-3855 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to have an unknown impact via (1) SYS.DBMS_DRS in the DataGuard component (DB03), (2) SYS.DBMS_STANDARD in the PL/SQL component (DB10), (3) MDSYS.RTREE_IDX in the Spatial component (DB16), and (4) SQL Compiler (DB17). NOTE: a reliable researcher claims that DB17 is for using Views to perform unauthorized insert, update, or delete actions.) | | | | CVE-2007-0272 (Unspecified vulnerability in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unknown impact and attack vectors related to the Oracle Spatial component and mdsys.md privileges, aka DB05. NOTE: Oracle has not disputed a reliable researcher report that claims this is for multiple buffer overflows and other issues in unspecified public procedures.) | | | | CVE-2007-0270 (Unspecified vulnerability in Oracle Database 9.2.0.7 and 10.1.0.4 has unknown impact and attack vectors related to the Data Guard and sys.dbms_drs privileges, aka DB03. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the GET_PROPERTY function in SYS.DBMS_DRS, which can be exploited for arbitrary code execution or a denial of service.) |
| Original document |  | Integrigy Security Alerts, Oracle E-Business Suite - Multiple Vulnerabilities (24.07.2007) |
| | | CERT, US-CERT Technical Cyber Security Alert TA07-200A -- Oracle Releases Patches for Multiple Vulnerabilities (21.07.2007) |
| | | SHATTER, Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03) (19.07.2007) |
| | | SHATTER, Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12) (19.07.2007) |
| | | Kornbrust, Alexander, Oracle Security: SQL Injection in APEX CHECK_DB_PASSWORD (19.07.2007) |
| | | Kornbrust, Alexander, Oracle Security: SQL Injection in package DBMS_PRVTAQIS (19.07.2007) |
| | | Kornbrust, Alexander, Oracle Security: Insert / Update / Delete Data via Views (19.07.2007) |
|
|
|
|
|
