Overview
Oracle Reports fails to validate URI parameters, possibly allowing a remote attacker to read arbitrary files on the Reports Server.
Description
Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and inserts it into a formatted report. It is a component of Oracle Application Server and the Oracle Developer Suite. Oracle Reports are accessible over a network via a URI. Improper validation on the desformat URI parameter may allow a remote attacker to read arbitrary files on the Oracle Reports Server. Based on research into public information, we believe that this issue is Oracle vuln# REP05 in the Oracle CPU for January 2006. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties. |
Impact
A remote attacker may be able to read files on the server by sending a specially crafted URI to Oracle Reports. |
Solution
Apply patches |
Restrict Access to Reports Server
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This document is based on information provided by Alexander Kornbrust.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-2378 |
| Severity Metric: | 4.25 |
| Date Public: | 2005-07-19 |
| Date First Published: | 2006-01-19 |
| Date Last Updated: | 2006-01-20 16:40 UTC |
| Document Revision: | 17 |