Vulnerability Name:

CVE-2006-5341 (CCN-29782)

Assigned:2006-10-17
Published:2006-10-17
Updated:2018-10-17
Summary:Multiple unspecified vulnerabilities in XMLDB component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.2 have unknown impact and remote authenticated attack vectors, aka (1) Vuln# DB14 and (2) DB15 related to xdb.dbms_xdbz.
Note: as of 20061023, Oracle has not disputed reports from reliable third parties that DB14 is for SQL injection in the PITRIG_DROP and PITRIG_DROPMETADATA functions in XDB_PITRIG_PKG, and DB15 is for SQL injection in DISABLE_HIERARCHY_INTERNAL in DBMS_XDBZ.
CVSS v3 Severity:5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.9 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Authentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
5.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Athentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Informational
References:Source: CCN
Type: Full-Disclosure Mailing List, Wed Oct 18 2006 - 01:55:35 CDT
Analysis of the Oracle October 2006 Critical Patch Update

Source: MITRE
Type: CNA
CVE-2006-5332

Source: MITRE
Type: CNA
CVE-2006-5333

Source: MITRE
Type: CNA
CVE-2006-5334

Source: MITRE
Type: CNA
CVE-2006-5335

Source: MITRE
Type: CNA
CVE-2006-5336

Source: MITRE
Type: CNA
CVE-2006-5337

Source: MITRE
Type: CNA
CVE-2006-5338

Source: MITRE
Type: CNA
CVE-2006-5339

Source: MITRE
Type: CNA
CVE-2006-5340

Source: MITRE
Type: CNA
CVE-2006-5341

Source: MITRE
Type: CNA
CVE-2006-5342

Source: MITRE
Type: CNA
CVE-2006-5343

Source: MITRE
Type: CNA
CVE-2006-5344

Source: MITRE
Type: CNA
CVE-2006-5345

Source: MITRE
Type: CNA
CVE-2006-5346

Source: MITRE
Type: CNA
CVE-2006-5347

Source: MITRE
Type: CNA
CVE-2006-5348

Source: MITRE
Type: CNA
CVE-2006-5349

Source: MITRE
Type: CNA
CVE-2006-5350

Source: MITRE
Type: CNA
CVE-2006-5351

Source: MITRE
Type: CNA
CVE-2006-5352

Source: MITRE
Type: CNA
CVE-2006-5353

Source: MITRE
Type: CNA
CVE-2006-5354

Source: MITRE
Type: CNA
CVE-2006-5355

Source: MITRE
Type: CNA
CVE-2006-5356

Source: MITRE
Type: CNA
CVE-2006-5357

Source: MITRE
Type: CNA
CVE-2006-5358

Source: MITRE
Type: CNA
CVE-2006-5359

Source: MITRE
Type: CNA
CVE-2006-5360

Source: MITRE
Type: CNA
CVE-2006-5361

Source: MITRE
Type: CNA
CVE-2006-5362

Source: MITRE
Type: CNA
CVE-2006-5363

Source: MITRE
Type: CNA
CVE-2006-5364

Source: MITRE
Type: CNA
CVE-2006-5365

Source: MITRE
Type: CNA
CVE-2006-5366

Source: MITRE
Type: CNA
CVE-2006-5367

Source: MITRE
Type: CNA
CVE-2006-5368

Source: MITRE
Type: CNA
CVE-2006-5369

Source: MITRE
Type: CNA
CVE-2006-5370

Source: MITRE
Type: CNA
CVE-2006-5371

Source: MITRE
Type: CNA
CVE-2006-5372

Source: MITRE
Type: CNA
CVE-2006-5373

Source: MITRE
Type: CNA
CVE-2006-5374

Source: MITRE
Type: CNA
CVE-2006-5375

Source: MITRE
Type: CNA
CVE-2006-5376

Source: MITRE
Type: CNA
CVE-2006-5377

Source: MITRE
Type: CNA
CVE-2006-5378

Source: CCN
Type: SA22396
Oracle Products Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
22396

Source: CCN
Type: SECTRACK ID: 1017077
Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact

Source: SECTRACK
Type: UNKNOWN
1017077

Source: MISC
Type: UNKNOWN
http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf

Source: CCN
Type: US-CERT VU#318764
Oracle DISABLE_HIERARCHY_INTERNAL procedure vulnerable to PL/SQL injection

Source: CERT-VN
Type: US Government Resource
VU#318764

Source: CCN
Type: US-CERT VU#446100
Oracle CREATE_CHANGE_TABLE procedure vulnerable to PL/SQL injection

Source: CCN
Type: US-CERT VU#716964
Oracle PREPARE_UNBOUNDED_VIEW procedure vulnerable to PL/SQL injection

Source: CCN
Type: US-CERT VU#717140
Oracle ENABLE_HIERARCHY_INTERNAL procedure vulnerable to PL/SQL injection

Source: CCN
Type: US-CERT VU#736324
Oracle SYS.DBMS_CDC_IMPDP package vulnerable to PL/SQL injection

Source: CCN
Type: US-CERT VU#869292
Oracle MDSYS.SDO_LRS package vulnerable to PL/SQL injection

Source: CCN
Type: Oracle Critical Patch Update - October 2006
Oracle Critical Patch Update Advisory - October 2006

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuoct2006-095368.html

Source: CCN
Type: OSVDB ID: 31383
Oracle Pharmaceutical Applications Clinical Remote Data Capture Option Unspecified HTTP Issue

Source: CCN
Type: OSVDB ID: 31384
Oracle PeopleSoft PeopleTools Unspecified Authenticated HTTP Complete Compromise

Source: CCN
Type: OSVDB ID: 31385
Oracle PeopleSoft PeopleTools HTTP Remote Unauthenticated Unspecified Issue

Source: CCN
Type: OSVDB ID: 31386
Oracle PeopleSoft PeopleTools Unspecified Authenticated HTTP Remote Issue (PSE03)

Source: CCN
Type: OSVDB ID: 31387
Oracle PeopleSoft PeopleTools Unspecified Authenticated HTTP Remote Issue (PSE04)

Source: CCN
Type: OSVDB ID: 31388
Oracle PeopleSoft Enterprise Portal Unspecified Authenticated HTTP Remote Issue

Source: CCN
Type: OSVDB ID: 31389
Oracle PeopleSoft PeopleTools Authenticated HTTP Simple Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31390
Oracle PeopleSoft PeopleTools Authenticated HTTP Complex Remote Information Disclosure (PSE07)

Source: CCN
Type: OSVDB ID: 31391
Oracle PeopleSoft PeopleTools Authenticated HTTP Complex Remote Information Disclosure (PSE08)

Source: CCN
Type: OSVDB ID: 31392
Oracle JD Edwards EnterpriseOne HTML Server Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 31393
Oracle Multiple Products HTTP Server htdigest Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 31394
Oracle Multiple Products HTTP Server SSL Unspecified Integrity Issue

Source: CCN
Type: OSVDB ID: 31395
Oracle Multiple Products HTTP Server SSL Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 31396
Oracle Multiple Products HTTP Server Unspecified Remote Unauthenticated Issue

Source: CCN
Type: OSVDB ID: 31397
Oracle HTTP Server SSL Unspecified Remote DoS

Source: CCN
Type: OSVDB ID: 31398
Oracle Multiple Products HTTP Server SSL Unspecified Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31399
Oracle Multiple Products HTTP Server Mod_rewrite Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 31400
Oracle Multiple Products Single Sign-On (SSO) HTTP Uspecified Unauthenticated Remote Issue

Source: CCN
Type: OSVDB ID: 31401
Oracle Multiple Products Single Sign-On (SSO) HTTP Unauthenticated Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31402
Oracle Collaboration Suite Containers for J2EE HTTP Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31403
Oracle Multiple Products Containers for J2EE HTTP Remote DoS

Source: CCN
Type: OSVDB ID: 31404
Oracle Multiple Products Containers for J2EE Remote Method Invocation Remote DoS

Source: CCN
Type: OSVDB ID: 31405
Oracle Multiple Products Containers for J2EE Custom Login Module HTTP Information Disclosure

Source: CCN
Type: OSVDB ID: 31406
Oracle Collaboration Suite Process Mgmt & Notification ONS Remote DoS

Source: CCN
Type: OSVDB ID: 31407
Oracle Application Server HTTP Server PHP Module Remote DoS

Source: CCN
Type: OSVDB ID: 31408
Oracle Application Server Forms HTTP Unauthenticated Information Disclosure

Source: CCN
Type: OSVDB ID: 31409
Oracle Multiple Products Forms HTTP Unspecified Remote DoS

Source: CCN
Type: OSVDB ID: 31410
Oracle Application Server Forms HTTP Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31413
Oracle Application Server Containers for J2EE Web Services Security Information Disclosure

Source: CCN
Type: OSVDB ID: 31414
Oracle E-Business Suite Exchange HTTP Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 31415
Oracle E-Business Suite Application Object Library HTTP Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31416
Oracle E-Business Suite Applications Framework HTTP Unspecified Issue

Source: CCN
Type: OSVDB ID: 31417
Oracle E-Business Suite Applications Technology Stack HTTP Unspecified Remote DoS

Source: CCN
Type: OSVDB ID: 31418
Oracle E-Business Suite Balanced Scorecard Manager Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 31419
Oracle E-Business Suite Scripting Agent Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 31420
Oracle E-Business Suite Trading Community TCA Administrator Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 31421
Oracle E-Business Suite CRM Gateway for Mobile Devices Mobile Field Service Administrator Information Disclosure

Source: CCN
Type: OSVDB ID: 31422
Oracle E-Business Suite Email Center Administrator Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 31423
Oracle E-Business Suite iStore HTTP Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 31424
Oracle E-Business Suite Universal Work Queue iMeeting System Configure Responsibility Information Disclosure

Source: CCN
Type: OSVDB ID: 31425
Oracle E-Business Suite Application Object Library Unspecified Issue

Source: CCN
Type: OSVDB ID: 31426
Oracle E-Business Suite Install Base Administrator Unspecified Issue

Source: CCN
Type: OSVDB ID: 31428
Oracle Database Spatial SDO_DROP_USER_BEFORE Package SQL Injection

Source: CCN
Type: OSVDB ID: 31429
Oracle Database Spatial mdsys.md2 Unspecified Issue

Source: CCN
Type: OSVDB ID: 31452
Oracle Database Spatial mdsys.sdo_geom Unspecified Issue

Source: CCN
Type: OSVDB ID: 31459
Oracle Database Spatial mdsys.sdo_tune Unspecified Issue

Source: CCN
Type: OSVDB ID: 31460
Oracle Database Scheduler sys.dbms_scheduler Unspecified Issue

Source: CCN
Type: OSVDB ID: 31463
Oracle Database Spatial mdsys.sdo_geom Unspecified DoS

Source: CCN
Type: OSVDB ID: 31472
Oracle Application Express Unauthenticated Complex Unspecified Issue (APEX04)

Source: CCN
Type: OSVDB ID: 31488
Oracle Application Express Unauthenticated Unspecified Issue (APEX20)

Source: CCN
Type: OSVDB ID: 31489
Oracle Application Express Unauthenticated Unspecified Issue (APEX21)

Source: MISC
Type: UNKNOWN
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

Source: MISC
Type: UNKNOWN
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html

Source: BUGTRAQ
Type: UNKNOWN
20061018 Analysis of the Oracle October 2006 Critical Patch Update

Source: BUGTRAQ
Type: UNKNOWN
20061023 SQL Injection in package XDB.DBMS_XDBZ0

Source: HP
Type: UNKNOWN
HPSBMA02133

Source: BID
Type: Patch
20588

Source: CCN
Type: BID-20588
Oracle October 2006 Security Update Multiple Vulnerabilities

Source: CERT
Type: US Government Resource
TA06-291A

Source: VUPEN
Type: UNKNOWN
ADV-2006-4065

Source: XF
Type: UNKNOWN
oracle-cpu-oct2006(29782)

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Oracle Database PREPARE_UNBOUNDED_VIEW SQL injection

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:database_server:9.2.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2006-5341 (CCN-30103)

    Assigned:2006-10-17
    Published:2006-10-17
    Updated:2006-10-17
    Summary:Oracle Database is vulnerable to SQL injection. A remote attacker with execute privileges on the XDB.DBMS_XDBZ package could send specially-crafted SQL statements to the DISABLE_HIERARCHY_INTERNAL procedure, which could allow the attacker to view, add, modify or delete information in the back-end database.
    CVSS v3 Severity:5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): Low
    User Interaction (UI): Required
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): Low
    Availibility (A): Low
    CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
    7.9 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
    5.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Consequences:Data Manipulation
    References:Source: CCN
    Type: Full-Disclosure Mailing List, Mon Oct 23 2006 - 12:05:12 CDT
    SQL Injection in Oracle package XDB.DBMS_XDBZ0

    Source: MITRE
    Type: CNA
    CVE-2006-5341

    Source: CCN
    Type: SA22396
    Oracle Products Multiple Vulnerabilities

    Source: CCN
    Type: SECTRACK ID: 1017077
    Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact

    Source: CCN
    Type: US-CERT VU#318764
    Oracle DISABLE_HIERARCHY_INTERNAL procedure vulnerable to PL/SQL injection

    Source: CCN
    Type: Oracle Critical Patch Update - October 2006
    Oracle Critical Patch Update Advisory - October 2006

    Source: CCN
    Type: Red-Database-Security Web site
    Details Oracle Critical Patch Update October 2006 - V1.02

    Source: CCN
    Type: BID-20588
    Oracle October 2006 Security Update Multiple Vulnerabilities

    Source: XF
    Type: UNKNOWN
    oracle-disablehierarchy-sql-injection(30103)

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:oracle:database_server:9.2.0.6:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.1.0.4:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.1:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.1.0.5:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.7:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.8:r2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oracle database server 9.2.0.7
    oracle database server 10.1.0.5
    oracle database server 10.2.0.2
    oracle database server 9.2.0.6 r2
    oracle database server 10.1.0.4 r1
    oracle database server 10.2.0.1 r2
    oracle database server 10.1.0.5 r1
    oracle database server 9.2.0.7 r2
    oracle database server 10.2.0.2 r2
    oracle database server 9.2.0.8 r2