CVE-2006-0586 - Secunia Advisories - Vulnerability Intelligence

CVE Reference: CVE-2006-0586
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2006-0586

Description: Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.

CVE Status: Candidate

References: XF http://xforce.iss.net/xforce/xfdb/24197 OSVDB 22839 22840 MISC http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html FULLDISC http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041498.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041499.html BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/422424/30/7370/threaded http://www.securityfocus.com/archive/1/archive/1/422423/30/7370/threaded BID 16294

Return to the previous page.