Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code.
CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346
According to the researcher, Allround Automations PL/SQL Developer version 11 periodically checks for updates over HTTP. When an update is available, PL/SQL Developer downloads the update and executes the update without verifying authenticity or performing other checks.
A remote attacker with a man-in-the-middle position may able to execute code with permissions of the PL/SQL Developer user.
Apply an update
Avoid untrusted networks
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-04-25|
|Date Last Updated:||2016-05-02 15:23 UTC|