Oracle Database Server SQL Injection in SYS.DBMS_SQLTUNE_INTERNAL package
Gravité: : Critique
Identifiant(s) CVE: : CVE-2006-5338
Date du conseil: 21 juillet 2015
Description
Unspecified vulnerability in the Core RDBMS component in Oracle Database 10.1.0.5 and 10.2.0.0 has unknown impact and remote authenticated attack vectors related to sys.dbms_sqltune, aka Vuln# DB10. NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB10 is for SQL injection in DROP_SQLSET, DELETE_SQLSET, SELECT_SQLSET, and I_SET_TUNING_PARAMETER. NOTE: some of these vectors might be in DBMS_SQLTUNE_INTERNAL.
Information Exposure Rating:
Apply associated Trend Micro DPI Rules.
Solutions
Trend Micro Deep Security DPI Rule Number: 1000824
Trend Micro Deep Security DPI Rule Name: 1000824 - Oracle Database Server SQL Injection In Multiple Procedures Of DBMS_SQLTUNE_INTERNAL Package
Affected software and version:
- Oracle Oracle10g Database Server 10.1.0.5
- Oracle Oracle10g Database Server 10.2.0.0