CVE-2008-6065

Sažetak

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.

Reference

http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/
http://www.oracleforensics.com/wordpress/wp-content/uploads/2008/10/create-any-directory-to-sysdba.pdf
http://www.securityfocus.com/archive/1/497286/100/0/threaded
http://www.securityfocus.com/bid/31738
https://exchange.xforce.ibmcloud.com/vulnerabilities/48814

CVSS

Base:	5.1
Impact:	6.4
Exploitability:	4.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:H/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

30-10-2018 - 16:25

Objavljeno

05-02-2009 - 02:30