Vulnerability Name:

CVE-2002-0947 (CCN-9289)

Assigned:2002-05-27
Published:2002-05-27
Updated:2008-09-05
Summary:Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8.18.0 and earlier, as used in Oracle9iAS and other products, allows remote attackers to execute arbitrary code via a long database name parameter.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: VULNWATCH
Type: UNKNOWN
20020612 [VulnWatch] Oracle Reports Server Buffer Overflow (#NISR12062002B)

Source: MITRE
Type: CNA
CVE-2002-0947

Source: BUGTRAQ
Type: UNKNOWN
20020612 Oracle Reports Server Buffer Overflow (#NISR12062002B)

Source: CCN
Type: Oracle Security Alert #35
Buffer Overflow Vulnerability in Oracle 9iAS Reports Server

Source: CONFIRM
Type: UNKNOWN
http://technet.oracle.com/deploy/security/pdf/reports6i_alert.pdf

Source: XF
Type: Patch, Vendor Advisory
oracle-reports-server-bo(9289)

Source: CCN
Type: US-CERT VU#997403
Oracle Reports Server Reports Web Cartridge (RWCGI60) vulnerable to buffer overflow via database name parameter

Source: CERT-VN
Type: Patch, Third Party Advisory, US Government Resource
VU#997403

Source: CCN
Type: NGSSoftware Insight Security Research Advisory #NISR12062002B
Oracle 9iAS Reports Server

Source: CCN
Type: NGSSoftware Vendor Notification Alert 27th May 2002
Oracle Reports Server

Source: MISC
Type: UNKNOWN
http://www.nextgenss.com/vna/ora-reports.txt

Source: CCN
Type: OSVDB ID: 5046
Oracle Reports Server rgcgi60 Database Name Remote Overflow

Source: BID
Type: Patch, Vendor Advisory
4848

Source: CCN
Type: BID-4848
Oracle Reports Server Remote Buffer Overflow Vulnerability

Source: XF
Type: UNKNOWN
oracle-reports-server-bo(9289)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:application_server:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:reports:6.0.8:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:reports:9.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oracle application server 9.0.2
    oracle reports 6.0.8
    oracle reports 9.0.2