Vulnerability Note VU#229047
Allround Automations PL/SQL Developer v11 performs updates over HTTP
Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code.
CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346
According to the researcher, Allround Automations PL/SQL Developer version 11 periodically checks for updates over HTTP. When an update is available, PL/SQL Developer downloads the update and executes the update without verifying authenticity or performing other checks.
A remote attacker with a man-in-the-middle position may able to execute code with permissions of the PL/SQL Developer user.
Apply an update
Avoid untrusted networks
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Allround Automations||Affected||15 Mar 2016||25 Apr 2016|
CVSS Metrics (Learn More)
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-2346
- Date Public: 29 Apr 2016
- Date First Published: 25 Apr 2016
- Date Last Updated: 02 May 2016
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.