Vulnerability Note VU#221788
Oracle SYS.DBMS_AQ package vulnerable to PL/SQL injection
The Oracle SYS.DBMS_AQ package is vulnerable to PL/SQL injection. This vulnerability may allow a remote, authenticated attacker to execute arbitrary PL/SQL commands on a vulnerable Oracle installation.
The Oracle SYS.DBMS_AQ package fails to properly sanitize user input.This may allow a remote attacker to insert arbitrary PL/SQL commands that may be executed by the database. Note that an attacker must have execute privileges on SYS_DBMS_AQ package to exploit this vulnerability.
Based on research into public information, we believe that this issue is Oracle Vuln# DB01 in the October 2007 January CPU. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.
A remote attacker may be able to execute PL/SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of an Oracle database.
Apply patches from Oracle
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||-||17 Jan 2007|
CVSS Metrics (Learn More)
This document was written by Jeff Gennari based on information from Oracle and Alexander Kornbrust of Red-Database-Security GmbH.
- CVE IDs: Unknown
- Date Public: 17 Jan 2007
- Date First Published: 17 Jan 2007
- Date Last Updated: 17 Jan 2007
- Severity Metric: 4.20
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.