Vulnerability Name: | CVE-2002-0568 (CCN-8453) | ||||||||
Assigned: | 2002-01-10 | ||||||||
Published: | 2002-01-10 | ||||||||
Updated: | 2016-10-18 | ||||||||
Summary: | Oracle 9i Application Server stores XSQL and SOAP configuration files insecurely, which allows local users to obtain sensitive information including usernames and passwords by requesting (1) XSQLConfig.xml or (2) soapConfig.xml through a virtual directory. | ||||||||
CVSS v3 Severity: | 4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||
Vulnerability Type: | CWE-Other | ||||||||
Vulnerability Consequences: | Obtain Information | ||||||||
References: | Source: MITRE Type: CNA CVE-2002-0568 Source: MITRE Type: CNA CVE-2002-0569 Source: BUGTRAQ Type: UNKNOWN 20020206 Hackproofing Oracle Application Server paper Source: CCN Type: Oracle Security Alert #28 Vulnerabilities in Oracle mod_plsql and JSP in Oracle9i Application Server, v1.0.2.x Source: CCN Type: CERT Advisory CA-2002-08 Multiple vulnerabilities in Oracle Servers Source: CERT Type: Patch, Third Party Advisory, US Government Resource CA-2002-08 Source: CCN Type: US-CERT VU#476619 Oracle 9iAS default configuration allows arbitrary users to view sensitive configuration files Source: CERT-VN Type: Patch, Third Party Advisory, US Government Resource VU#476619 Source: CCN Type: US-CERT VU#977251 Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users to view sensitive configuration files Source: CCN Type: NGSSoftware Insight Security Research Paper Hackproofing Oracle Application Server Source: MISC Type: UNKNOWN http://www.nextgenss.com/papers/hpoas.pdf Source: CCN Type: OSVDB ID: 3411 Oracle Application Server XSQLServlet soapConfig.xml Authentication Credentials Disclosure Source: CCN Type: OSVDB ID: 3423 Oracle Application Server XSQLServlet XSQLConfig.xml Authentication Credentials Disclosure Source: CCN Type: OSVDB ID: 59558 Oracle Application Server XSQL Servlet Direct Request Configuration File Disclosure Source: BID Type: Vendor Advisory 4290 Source: CCN Type: BID-4290 Oracle 9i Default Configuration File Information Disclosure Vulnerability Source: CCN Type: BID-4298 Oracle 9iAS XSQL Servlet File Permission Bypass Vulnerability Source: XF Type: UNKNOWN oracle-appserver-config-file-access(8453) | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||
BACK |