Vulnerability Name:

CVE-2007-5766 (CCN-37279)

Assigned:2007-10-16
Published:2007-10-16
Updated:2018-10-15
Summary:SQL injection vulnerability in okxLOV.jsp in Oracle E-Business Suite 11 and 12 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
Note: this is probably the same issue as CVE-2007-5527 or CVE-2007-5528, but there are insufficient details to be sure.
CVSS v3 Severity:5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Authentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Athentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
Vulnerability Type:CWE-89
Vulnerability Consequences:Informational
References:Source: MITRE
Type: CNA
CVE-2007-5504

Source: MITRE
Type: CNA
CVE-2007-5505

Source: MITRE
Type: CNA
CVE-2007-5506

Source: MITRE
Type: CNA
CVE-2007-5507

Source: MITRE
Type: CNA
CVE-2007-5508

Source: MITRE
Type: CNA
CVE-2007-5509

Source: MITRE
Type: CNA
CVE-2007-5510

Source: MITRE
Type: CNA
CVE-2007-5511

Source: MITRE
Type: CNA
CVE-2007-5512

Source: MITRE
Type: CNA
CVE-2007-5513

Source: MITRE
Type: CNA
CVE-2007-5514

Source: MITRE
Type: CNA
CVE-2007-5515

Source: MITRE
Type: CNA
CVE-2007-5516

Source: MITRE
Type: CNA
CVE-2007-5517

Source: MITRE
Type: CNA
CVE-2007-5518

Source: MITRE
Type: CNA
CVE-2007-5519

Source: MITRE
Type: CNA
CVE-2007-5520

Source: MITRE
Type: CNA
CVE-2007-5521

Source: MITRE
Type: CNA
CVE-2007-5522

Source: MITRE
Type: CNA
CVE-2007-5523

Source: MITRE
Type: CNA
CVE-2007-5524

Source: MITRE
Type: CNA
CVE-2007-5525

Source: MITRE
Type: CNA
CVE-2007-5526

Source: MITRE
Type: CNA
CVE-2007-5527

Source: MITRE
Type: CNA
CVE-2007-5528

Source: MITRE
Type: CNA
CVE-2007-5529

Source: MITRE
Type: CNA
CVE-2007-5530

Source: MITRE
Type: CNA
CVE-2007-5531

Source: MITRE
Type: CNA
CVE-2007-5532

Source: MITRE
Type: CNA
CVE-2007-5533

Source: MITRE
Type: CNA
CVE-2007-5534

Source: MITRE
Type: CNA
CVE-2007-5766

Source: CCN
Type: HP Security Bulletin HPSBMA02133 SSRT061201 rev.6
HP Oracle for OpenView (OfO) Critical Patch Update

Source: OSVDB
Type: UNKNOWN
40080

Source: SREASON
Type: UNKNOWN
3344

Source: CCN
Type: Oracle Critical Patch Update - October 2007
Oracle Critical Patch Update Advisory - October 2007

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuoct2007-092913.html

Source: BUGTRAQ
Type: UNKNOWN
20071031 ZDI-07-058: Oracle E-Business Suite SQL Injection Vulnerability

Source: CCN
Type: BID-26108
Oracle Database Remote Denial of Service Vulnerability

Source: MISC
Type: UNKNOWN
http://www.zerodayinitiative.com/advisories/ZDI-07-058.html

Source: XF
Type: UNKNOWN
oracle-cpu-oct2007(37279)

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Oracle Database Advanced Queuing SYS.DBMS_AQADM buffer overflow

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:e-business_suite:11i:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:10.1.2.0.1:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:10.1.2.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.1.0.5:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:collaboration_suite:10.1.2:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.10:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.22:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.47:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.48:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.8:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.3:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_human_capital_management:8.9:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.0.1.5::fips+:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.8dv:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.49:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_human_capital_management:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager:10.1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_grid_control:10.1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.3:*:*:*:*:*:*:*
  • AND
  • cpe:/a:hp:oracle_for_openview:8.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:hp:oracle_for_openview:9.1.01:*:*:*:*:*:*:*
  • OR cpe:/a:hp:oracle_for_openview:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:hp:oracle_for_openview:10g:*:*:*:*:*:*:*
  • OR cpe:/a:hp:oracle_for_openview:10g:r2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2007-5766 (CCN-38225)

    Assigned:2007-10-31
    Published:2007-10-31
    Updated:2007-10-31
    Summary:Oracle E-Business Suite is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the okxLOV.jsp script in the Administration console, which could allow the attacker to view, add, modify or delete information in the back-end database.
    CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): Low
    Availibility (A): Low
    CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
    6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
    6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Consequences:Data Manipulation
    References:Source: MITRE
    Type: CNA
    CVE-2007-5766

    Source: CCN
    Type: Oracle Critical Patch Update - October 2007
    Oracle Critical Patch Update Advisory - October 2007

    Source: CCN
    Type: OSVDB ID: 40080
    Oracle E-Business Suite okxLOV.jsp Unspecified SQL Injection

    Source: XF
    Type: UNKNOWN
    oracle-ebusiness-okxlov-sql-injection(38225)

    Source: CCN
    Type: ZDI-07-058
    Oracle E-Business Suite SQL Injection Vulnerability

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:oracle:e-business_suite:11.5.10:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oracle e-business suite 11i
    oracle e-business suite 12
    oracle application server 1.0.2.2
    oracle application server 10.1.2.0.1 r2
    oracle application server 10.1.2.0.2 r2
    oracle database server 10.1.0.5 r1
    oracle collaboration suite 10.1.2 r1
    oracle e-business suite 11.5.10
    oracle database server 10.2.0.2 r2
    oracle application server 9.0.4.3
    oracle peoplesoft enterprise peopletools 8.22
    oracle peoplesoft enterprise peopletools 8.47
    oracle peoplesoft enterprise peopletools 8.48
    oracle database server 9.2.0.8 r2
    oracle database server 10.2.0.3 r2
    oracle e-business suite 12.0.0
    oracle peoplesoft enterprise human capital management 8.9
    oracle database server 9.0.1.5
    oracle database server 9.2.0.8dv r2
    oracle e-business suite 12.0.1
    oracle peoplesoft enterprise peopletools 8.49
    oracle peoplesoft enterprise human capital management 9.0
    oracle enterprise manager 10.1.0.5
    oracle enterprise manager grid control 10.1.0.6
    oracle e-business suite 12.0.2
    oracle e-business suite 11.5.8
    oracle e-business suite 11.5.9
    oracle e-business suite 12.0.3
    hp oracle for openview 8.1.7
    hp oracle for openview 9.1.01
    hp oracle for openview 9.2
    hp oracle for openview 10g
    hp oracle for openview 10g r2
    oracle e-business suite 11.5.10
    oracle e-business suite 12.0.0
    oracle e-business suite 12.0.1
    oracle e-business suite 12.0.2
    oracle e-business suite 11.5.8
    oracle e-business suite 11.5.9
    oracle e-business suite 12.0.3