The Oracle MDSYS.SDO_LRS package is vulnerable to PL/SQL injection. This vulnerability may allow a remote, authenticated attacker to execute arbitrary PL/SQL commands on a vulnerable Oracle installation.
The Oracle MDSYS.SDO_LRS package is vulnerable to PL/SQL injection. Specifically, the CONVERT_TO_LRS_LAYER procedure fails to properly filter user input. Note that an attacker must have execute privileges on MDSYS.SDO_LRS package, and the ability to create a PL/SQL function to exploit this vulnerability.
Based on research into public information, we believe that this issue is Oracle vuln# DB13 in the October 2006 Oracle CPU. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.
A remote attacker may be able to execute arbitrary PL/SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of an Oracle database.
T his vulnerability was reported by in the Oracle Critical Patch Update for October 2006
|Date First Published:||2006-10-24|
|Date Last Updated:||2006-10-24 14:21 UTC|