| Vulnerability Name: | CVE-2004-1338 (CCN-18655) | ||||||||
| Assigned: | 2004-12-23 | ||||||||
| Published: | 2004-12-23 | ||||||||
| Updated: | 2017-07-11 | ||||||||
| Summary: | The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions. | ||||||||
| CVSS v3 Severity: | 9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Gain Privileges | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Thu Dec 23 2004 - 10:29:32 CST Oracle Trigger Abuse (#NISR2122004I) Source: MITRE Type: CNA CVE-2004-1338 Source: MITRE Type: CNA CVE-2004-1339 Source: BUGTRAQ Type: Third Party Advisory 20041223 Oracle Trigger Abuse (#NISR2122004I) Source: CCN Type: US-CERT VU#170830 Oracle Enterprise Manager contains several vulnerabilities Source: MISC Type: Patch, Vendor Advisory http://www.ngssoftware.com/advisories/oracle23122004I.txt Source: CCN Type: Oracle Security Alert #68 This security alert addresses security vulnerabilities in Oracles server products. Source: CCN Type: OSVDB ID: 12751 Oracle SDO_CMT_CBK_TRIG Trigger Arbitrary Command Injection Source: XF Type: UNKNOWN oracle-triggers-gain-privileges(18655) Source: XF Type: UNKNOWN oracle-triggers-gain-privileges(18655) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||