| Vulnerability Name: | CVE-2007-2112 (CCN-33809) | ||||||||
| Assigned: | 2007-04-17 | ||||||||
| Published: | 2007-04-17 | ||||||||
| Updated: | 2018-10-16 | ||||||||
| Summary: | Unspecified vulnerability in the Authentication component for Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact and attack vectors, aka DB05. Note: as of 20070424, Oracle has not disputed reliable claims that this issue allows remote authenticated users to bypass the AUTH_ALTER_SESSION security policies via a logon trigger ("AFTER LOGON ON DATABASE" trigger directive), a related issue to CVE-2006-0547. | ||||||||
| CVSS v3 Severity: | 4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P) 4.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-noinfo | ||||||||
| Vulnerability Consequences: | Informational | ||||||||
| References: | Source: CCN Type: Full-Disclosure Mailing List, Wed Apr 18 2007 - 11:07:27 CDT Oracle E-Business Suite Vulnerability Information April 2007 Source: MITRE Type: CNA CVE-2007-2108 Source: MITRE Type: CNA CVE-2007-2109 Source: MITRE Type: CNA CVE-2007-2110 Source: MITRE Type: CNA CVE-2007-2111 Source: MITRE Type: CNA CVE-2007-2112 Source: MITRE Type: CNA CVE-2007-2113 Source: MITRE Type: CNA CVE-2007-2114 Source: MITRE Type: CNA CVE-2007-2115 Source: MITRE Type: CNA CVE-2007-2116 Source: MITRE Type: CNA CVE-2007-2117 Source: MITRE Type: CNA CVE-2007-2118 Source: MITRE Type: CNA CVE-2007-2119 Source: MITRE Type: CNA CVE-2007-2120 Source: MITRE Type: CNA CVE-2007-2121 Source: MITRE Type: CNA CVE-2007-2122 Source: MITRE Type: CNA CVE-2007-2123 Source: MITRE Type: CNA CVE-2007-2124 Source: MITRE Type: CNA CVE-2007-2125 Source: MITRE Type: CNA CVE-2007-2126 Source: MITRE Type: CNA CVE-2007-2127 Source: MITRE Type: CNA CVE-2007-2128 Source: MITRE Type: CNA CVE-2007-2129 Source: MITRE Type: CNA CVE-2007-2130 Source: MITRE Type: CNA CVE-2007-2131 Source: MITRE Type: CNA CVE-2007-2132 Source: MITRE Type: CNA CVE-2007-2133 Source: MITRE Type: CNA CVE-2007-2134 Source: MITRE Type: CNA CVE-2007-2135 Source: MITRE Type: CNA CVE-2007-2170 Source: CCN Type: IBM Security Bulletin 1268889 Oracle Engine Upgrade and Critical Patch - TCIM 6.0/7.0/8.0 Embedded Database Engine Upgrade (10.1.0.5) and April 2007 Oracle Critical Path Update Source: MISC Type: UNKNOWN http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_April_2007_Analysis.pdf Source: CCN Type: US-CERT VU#809457 Oracle Database vulnerable to privilege escalation Source: MISC Type: UNKNOWN http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf Source: CCN Type: Oracle Critical Patch Update - April 2007 Oracle Critical Patch Update Advisory - April 2007 Source: CONFIRM Type: UNKNOWN http://www.oracle.com/technetwork/topics/security/cpuapr2007-090632.html Source: CCN Type: OSVDB ID: 39920 Oracle PeopleSoft Enterprise Human Capital Management Unspecified Information Disclosure Source: CCN Type: OSVDB ID: 39921 Oracle PeopleSoft JD Edwards HTTP Server Browser Cache Login Credential Disclosure Source: CCN Type: OSVDB ID: 39922 Oracle PeopleSoft PeopleTools Unspecified FTP Script Upload Issue Source: CCN Type: OSVDB ID: 39923 Oracle PeopleSoft PeopleTools Unspecified Stored XSS Source: CCN Type: OSVDB ID: 39924 Oracle Database Core RDBMS NTLM SSPI AcceptSecurityContext Function Remote Privilege Escalation Source: CCN Type: OSVDB ID: 39925 Oracle Database Rules Manager Expression Filter RLMGR_TRUNCATE_MAINT Trigger Race Condition Source: CCN Type: OSVDB ID: 39926 Oracle Database Core RDBMS NULL DACL Multiple Function Arbitrary Code Execution Source: CCN Type: OSVDB ID: 39929 Oracle Database Streams DBMS_APPLY_USER_AGENT.SET_REGISTRATION_HANDLER Procedure SQL Injection Source: CCN Type: OSVDB ID: 39931 Oracle Database Change Data Capture (CDC) DBMS_CDC_IPUBLISH.CHGTAB_CACHE CHANGE_TABLE_NAME Parameter Remote Overflow Source: CCN Type: OSVDB ID: 39932 Oracle Database Change Data Capture (CDC) DBMS_CDC_PUBLISH Multiple SQL Injections Source: CCN Type: OSVDB ID: 39934 Oracle Database Instant Client genezi Command Unspecified Local Issue Source: CCN Type: OSVDB ID: 39935 Oracle Database Text ctxsrv Command Unspecified Local Issue Source: CCN Type: OSVDB ID: 39936 Oracle Database Upgrade/Downgrade mig Command Local Overflow Source: CCN Type: OSVDB ID: 39939 Oracle Database Agent Unauthenticated Remote Information Disclosure Source: CCN Type: OSVDB ID: 39940 Oracle Collaboration Suite Workspace Unspecified Authenticated Issue (OCS01) Source: CCN Type: OSVDB ID: 39942 Oracle Application Server COREid Access HTTP Unspecified Remote Issue Source: CCN Type: OSVDB ID: 39943 Oracle Application Server Wireless HTTP Unspecified Remote Issue Source: CCN Type: OSVDB ID: 39944 Oracle Application Server Portal HTTP Unspecified Remote Issue Source: CCN Type: OSVDB ID: 39945 Oracle Application Server Portal HTTP Unspecified Remote Information Disclosure Source: CCN Type: OSVDB ID: 39948 Oracle E-Business Suite Report Manager Unauthenticated Remote Information Disclosure Source: CCN Type: OSVDB ID: 39949 Oracle E-Business Suite Application Object Library Remote Information Disclosure Source: CCN Type: OSVDB ID: 39950 Oracle E-Business Suite iStore Unspecified Remote Information Disclosure (APPS05) Source: CCN Type: OSVDB ID: 39951 Oracle E-Business Suite iStore Unspecified Remote Information Disclosure (APPS06) Source: CCN Type: OSVDB ID: 39952 Oracle E-Business Suite iSupport Remote Information Disclosure Source: CCN Type: OSVDB ID: 39953 Oracle E-Business Suite Sales Online Remote Information Disclosure Source: CCN Type: OSVDB ID: 39954 Oracle E-Business Suite Trade Management Remote Information Disclosure Source: CCN Type: OSVDB ID: 39955 Oracle E-Business Suite Applications Manager Patch Administrator Local Information Disclosure Source: MISC Type: UNKNOWN http://www.red-database-security.com/advisory/bypass_oracle_logon_trigger.html Source: CCN Type: Red-Database-Security Web site Details Oracle Critical Patch Update April 2007 Source: MISC Type: UNKNOWN http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html Source: BUGTRAQ Type: UNKNOWN 20070418 Advisory: Bypass Oracle Logon Trigger Source: HP Type: UNKNOWN SSRT061201 Source: BID Type: UNKNOWN 23532 Source: SECTRACK Type: UNKNOWN 1017927 Source: CERT Type: US Government Resource TA07-108A Source: VUPEN Type: Vendor Advisory ADV-2007-1426 Source: XF Type: UNKNOWN oracle-cpu-april2007(33809) Source: CCN Type: IBM Internet Security Systems X-Force Database Oracle E-Business Suite APPLSYS.FND_DM_NODES node deletion | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2007-2112 (CCN-33831) | ||||||||
| Assigned: | 2007-04-17 | ||||||||
| Published: | 2007-04-17 | ||||||||
| Updated: | 2007-04-17 | ||||||||
| Summary: | An unspecified vulnerability in Oracle Database Server could allow a remote attacker to bypass the database logon trigger. A remote attacker with "Create Session" privileges could send a specially-crafted request to bypass the logon trigger and gain unauthorized access to the database. | ||||||||
| CVSS v3 Severity: | 4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P) 4.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Wed Apr 18 2007 - 03:01:09 CDT Advisory: Bypass Oracle Logon Trigger Source: CCN Type: Full-Disclosure Mailing List, Wed Apr 18 2007 - 11:07:27 CDT Oracle E-Business Suite Vulnerability Information April 2007 Source: MITRE Type: CNA CVE-2007-2112 Source: CCN Type: SA24929 Oracle Products Multiple Vulnerabilities Source: CCN Type: SECTRACK ID: 1017927 Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact Source: CCN Type: Oracle Critical Patch Update - April 2007 Oracle Critical Patch Update Advisory - April 2007 Source: CCN Type: Red-Database-Security Web site Details Oracle Critical Patch Update April 2007 Source: CCN Type: BID-23532 Oracle April 2007 Security Update Multiple Vulnerabilities Source: XF Type: UNKNOWN oracle-logon-auth-bypass(33831) | ||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||
| BACK | |||||||||