Vulnerability Name: | CVE-2006-0586 (CCN-24195) | ||||||||
Assigned: | 2006-01-18 | ||||||||
Published: | 2006-01-18 | ||||||||
Updated: | 2018-10-19 | ||||||||
Summary: | Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. Note: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues. | ||||||||
CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-89 | ||||||||
Vulnerability Consequences: | Data Manipulation | ||||||||
References: | Source: CCN Type: Full-Disclosure Mailing List, Tue Jan 17 2006 - 18:04:03 CST Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT Source: MITRE Type: CNA CVE-2006-0586 Source: FULLDISC Type: Vendor Advisory 20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT Source: FULLDISC Type: Vendor Advisory 20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT Source: CCN Type: Oracle Web site Oracle Critical Patch Update Advisory - January 2006 Source: OSVDB Type: UNKNOWN 22839 Source: OSVDB Type: UNKNOWN 22840 Source: CCN Type: OSVDB ID: 22839 Oracle Database SYS.KUPV$FT Multiple Function SQL Injection Source: CCN Type: OSVDB ID: 22840 Oracle Database SYS.KUPV$FT_INT Multiple Function SQL Injection Source: MISC Type: Vendor Advisory http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html Source: CCN Type: Red-Database-Security Advisory 17 Jan 2006 (V 1.00) SQL Injection in package SYS.KUPV$FT Source: MISC Type: Vendor Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html Source: MISC Type: Vendor Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html Source: BUGTRAQ Type: UNKNOWN 20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT Source: BUGTRAQ Type: UNKNOWN 20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT Source: BID Type: UNKNOWN 16294 Source: CCN Type: BID-16294 Oracle Database SYS.KUPV$FT Multiple SQL Injection Vulnerabilities Source: XF Type: UNKNOWN oracle-syskupv$ft-sql-injection(24195) Source: XF Type: UNKNOWN oracle-syskupv$ft-sql-injection(24195) Source: XF Type: UNKNOWN oracle-syskupv$ftint-sql-injection(24197) | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||
Vulnerability Name: | CVE-2006-0586 (CCN-24197) | ||||||||
Assigned: | 2006-01-18 | ||||||||
Published: | 2006-01-18 | ||||||||
Updated: | 2006-01-18 | ||||||||
Summary: | Oracle 10g is vulnerable to multiple SQL injection attacks in the SYS.KUPV$FT_INT package. A remote attacker could send specially-crafted SQL statements to the UPDATE_JOB, ACTIVE_JOB, ATTACH_POSSIBLE, ATTACH_TO_JOB, CREATE_NEW_JOB, DELETE_JOB, DELETE_MASTER_TABLE, DETACH_JOB, GET_JOB_INFO, GET_JOB_QUEUES, GET_SOLE_JOBNAME, MASTER_TBL_LOCK, or VALID_HANDLE function using various parameters, which could allow the attacker to add, modify, or delete information in the back-end database. | ||||||||
CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
| ||||||||
Vulnerability Consequences: | Data Manipulation | ||||||||
References: | Source: CCN Type: Full-Disclosure Mailing List, Tue Jan 17 2006 - 18:04:00 CST Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT Source: MITRE Type: CNA CVE-2006-0586 Source: CCN Type: Oracle Web site Oracle Critical Patch Update Advisory - January 2006 Source: CCN Type: OSVDB ID: 22839 Oracle Database SYS.KUPV$FT Multiple Function SQL Injection Source: CCN Type: OSVDB ID: 22840 Oracle Database SYS.KUPV$FT_INT Multiple Function SQL Injection Source: CCN Type: Red-Database-Security Advisory 17 Jan 2006 (V 1.00) SQL Injection in package SYS.KUPV$FT_INT Source: CCN Type: BID-16294 Oracle Database SYS.KUPV$FT Multiple SQL Injection Vulnerabilities Source: XF Type: UNKNOWN oracle-syskupvftint-sql-injection(24197) | ||||||||
Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
BACK |