Overview
Oracle Spatial is vulnerable to SQL injection, possibly allowing a remote attacker to execute arbitrary SQL commands on a vulnerable Oracle installation.
Description
Oracle Spatial fails to properly filter user-supplied input. This could allow a remote attacker to insert arbitrary SQL commands, which may be executed by the database. Based on research into public information, we believe that this issue is Oracle vuln# DB12 in the Oracle CPU for April 2006. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties. |
Impact
A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of an Oracle database. |
Solution
Apply patches |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported in the Oracle Critical Patch Update for April 2006. Information in this document came from Oracle and Alexander Kornbrust of Red-Database Security,
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | None |
| Severity Metric: | 5.37 |
| Date Public: | 2006-04-18 |
| Date First Published: | 2006-04-19 |
| Date Last Updated: | 2006-04-19 20:56 UTC |
| Document Revision: | 23 |