cvelistv5 - cve-2014-6577

CVE-2014-6577 (GCVE-0-2014-6577)

Vulnerability from cvelistv5 – Published: 2015-01-21 15:00 – Updated: 2024-08-06 12:17

Summary

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

Severity ?

No CVSS data available.

CWE

Assigner

oracle

References

URL

Tags

	http://www.securityfocus.com/bid/72139	vdb-entryx_refsource_BID
	https://blog.netspi.com/advisory-xxe-injection-or…	x_refsource_MISC
	http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1031572	vdb-entryx_refsource_SECTRACK

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T12:17:24.390Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "72139",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/72139"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
          },
          {
            "name": "1031572",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1031572"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-25T19:57:01",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "72139",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/72139"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
        },
        {
          "name": "1031572",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1031572"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2014-6577",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "72139",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/72139"
            },
            {
              "name": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/",
              "refsource": "MISC",
              "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
            },
            {
              "name": "1031572",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1031572"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2014-6577",
    "datePublished": "2015-01-21T15:00:00",
    "dateReserved": "2014-09-17T00:00:00",
    "dateUpdated": "2024-08-06T12:17:24.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"165A1F85-076B-4216-8EF8-D67E6EC63A6B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C1E11A25-C7CE-49DF-99CA-352FD21B8230\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A7D10EB-D98F-4B80-AB9F-D8A9FC813E1C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4F3D40B7-925C-413D-AFF3-60BF330D5BC2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad no especificada en el componente XML Developer\u0027s Kit for C en Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, y 12.1.0.2 permite a usuarios remotos autenticados afectar la confidencialidad a trav\\u00e9s de vectores desconocidos. NOTA: la informaci\\u00f3n previa es la CPU de enero del 2015. Oracle no ha comentado sobre la declaraci\\u00f3n del investigador original de que esto se trata de una vulnerabilidad de entidad externa XML (XXE) en el analizador de XML, lo que permite a atacantes realizar el escaneo de puertos internos, realizar ataques de SSRF o causar una denegaci\\u00f3n de servicio a trav\\u00e9s de una URI (1) http: o (2) ftp: manipulada.\"}]",
      "evaluatorComment": "Per: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\n\nThe CVSS score is 6.8 only on Windows for Database versions prior to 12c. The CVSS is 4.0 (Confidentiality is \"Partial+\") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.",
      "id": "CVE-2014-6577",
      "lastModified": "2024-11-21T02:14:41.517",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:C/I:N/A:N\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2015-01-21T15:28:16.213",
      "references": "[{\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/72139\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.securitytracker.com/id/1031572\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/72139\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1031572\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}]",
      "sourceIdentifier": "secalert_us@oracle.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-6577\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2015-01-21T15:28:16.213\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad no especificada en el componente XML Developer\u0027s Kit for C en Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, y 12.1.0.2 permite a usuarios remotos autenticados afectar la confidencialidad a trav\u00e9s de vectores desconocidos. NOTA: la informaci\u00f3n previa es la CPU de enero del 2015. Oracle no ha comentado sobre la declaraci\u00f3n del investigador original de que esto se trata de una vulnerabilidad de entidad externa XML (XXE) en el analizador de XML, lo que permite a atacantes realizar el escaneo de puertos internos, realizar ataques de SSRF o causar una denegaci\u00f3n de servicio a trav\u00e9s de una URI (1) http: o (2) ftp: manipulada.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:N/A:N\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"165A1F85-076B-4216-8EF8-D67E6EC63A6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1E11A25-C7CE-49DF-99CA-352FD21B8230\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A7D10EB-D98F-4B80-AB9F-D8A9FC813E1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4F3D40B7-925C-413D-AFF3-60BF330D5BC2\"}]}]}],\"references\":[{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72139\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.securitytracker.com/id/1031572\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72139\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1031572\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}],\"evaluatorComment\":\"Per: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\\n\\nThe CVSS score is 6.8 only on Windows for Database versions prior to 12c. The CVSS is 4.0 (Confidentiality is \\\"Partial+\\\") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.\"}}"
  }
}

FKIE_CVE-2014-6577

Vulnerability from fkie_nvd - Published: 2015-01-21 15:28 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert_us@oracle.com	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	Patch, Vendor Advisory
secalert_us@oracle.com	http://www.securityfocus.com/bid/72139
secalert_us@oracle.com	http://www.securitytracker.com/id/1031572
secalert_us@oracle.com	https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/72139
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1031572
af854a3a-2127-422b-91ae-364da2661108	https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/	Exploit

Impacted products

Vendor	Product	Version
oracle	database_server	11.2.0.3
oracle	database_server	11.2.0.4
oracle	database_server	12.1.0.1
oracle	database_server	12.1.0.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "165A1F85-076B-4216-8EF8-D67E6EC63A6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1E11A25-C7CE-49DF-99CA-352FD21B8230",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A7D10EB-D98F-4B80-AB9F-D8A9FC813E1C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F3D40B7-925C-413D-AFF3-60BF330D5BC2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad no especificada en el componente XML Developer\u0027s Kit for C en Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, y 12.1.0.2 permite a usuarios remotos autenticados afectar la confidencialidad a trav\u00e9s de vectores desconocidos. NOTA: la informaci\u00f3n previa es la CPU de enero del 2015. Oracle no ha comentado sobre la declaraci\u00f3n del investigador original de que esto se trata de una vulnerabilidad de entidad externa XML (XXE) en el analizador de XML, lo que permite a atacantes realizar el escaneo de puertos internos, realizar ataques de SSRF o causar una denegaci\u00f3n de servicio a trav\u00e9s de una URI (1) http: o (2) ftp: manipulada."
    }
  ],
  "evaluatorComment": "Per: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\n\nThe CVSS score is 6.8 only on Windows for Database versions prior to 12c. The CVSS is 4.0 (Confidentiality is \"Partial+\") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.",
  "id": "CVE-2014-6577",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-01-21T15:28:16.213",
  "references": [
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.securityfocus.com/bid/72139"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.securitytracker.com/id/1031572"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/72139"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1031572"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
    }
  ],
  "sourceIdentifier": "secalert_us@oracle.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2015-00490

Vulnerability from cnvd - Published: 2015-01-22

Title

Oracle Database Server远程漏洞（CNVD-2015-00490）

Description

Oracle Database是一款商业性质的大型数据库。 Oracle Database Server存在远程漏洞，允许攻击者利用 'HTTP'协议获得 'Valid account' 权限。

Severity

中

Patch Name

Oracle Database Server远程漏洞（CNVD-2015-00490）的补丁

Patch Description

Oracle Database是一款商业性质的大型数据库。 Oracle Database Server存在远程漏洞，允许攻击者利用 'HTTP'协议获得 'Valid account' 权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Reference

http://www.securityfocus.com/bid/72139 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Impacted products

Name
['Oracle database server 11.2.0.3', 'Oracle database server 11.2.0.4', 'Oracle Database Server 12.1.0.1', 'Oracle Database Server 12.1.0.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72139"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-6577"
    }
  },
  "description": "Oracle Database\u662f\u4e00\u6b3e\u5546\u4e1a\u6027\u8d28\u7684\u5927\u578b\u6570\u636e\u5e93\u3002 \r\n\r\nOracle Database Server\u5b58\u5728\u8fdc\u7a0b\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528 \u0027HTTP\u0027\u534f\u8bae\u83b7\u5f97 \u0027Valid account\u0027 \u6743\u9650\u3002",
  "discovererName": "Oracle",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a \r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00490",
  "openTime": "2015-01-22",
  "patchDescription": "Oracle Database\u662f\u4e00\u6b3e\u5546\u4e1a\u6027\u8d28\u7684\u5927\u578b\u6570\u636e\u5e93\u3002\r\nOracle Database Server\u5b58\u5728\u8fdc\u7a0b\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528 \u0027HTTP\u0027\u534f\u8bae\u83b7\u5f97 \u0027Valid account\u0027 \u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Database Server\u8fdc\u7a0b\u6f0f\u6d1e\uff08CNVD-2015-00490\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle database server 11.2.0.3",
      "Oracle database server 11.2.0.4",
      "Oracle Database Server 12.1.0.1",
      "Oracle Database Server 12.1.0.2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/72139\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-21",
  "title": "Oracle Database Server\u8fdc\u7a0b\u6f0f\u6d1e\uff08CNVD-2015-00490\uff09"
}

CERTFR-2015-AVI-033

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans Oracle Database Server. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance, un contournement de la politique de sécurité, une atteinte à l'intégrité des données, une atteinte à la confidentialité des données, ou une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	XML Developers Kit Version 11.2.0.3
Oracle	Database Server	OLAP Version 11.1.0.7
Oracle	Database Server	XML Developers Kit Version 12.1.0.2
Oracle	Database Server	PL/SQL Version 12.1.0.1
Oracle	Database Server	Oracle Database Version 12.1.0.2
Oracle	Database Server	PL/SQL Version 11.1.0.7
Oracle	Database Server	Workspace Manager Version 11.2.0.3
Oracle	Database Server	Oracle Database Version 11.1.0.7
Oracle	Database Server	PL/SQL Version 11.2.0.3
Oracle	Database Server	OLAP Version 12.1.0.1
Oracle	Database Server	PL/SQL Version 11.2.0.4
Oracle	Database Server	OLAP Version 12.1.0.2
Oracle	Database Server	Workspace Manager Version 12.1.0.1
Oracle	Database Server	Workspace Manager Version 11.2.0.4
Oracle	Database Server	Workspace Manager Version 11.1.0.7
Oracle	Database Server	Oracle Database Version 11.2.0.4
Oracle	Database Server	OLAP Version 11.2.0.3
Oracle	Database Server	Oracle Database Version 12.1.0.1
Oracle	Database Server	OLAP Version 11.2.0.4
Oracle	Database Server	XML Developers Kit Version 12.1.0.1
Oracle	Database Server	Oracle Database Version 11.2.0.3
Oracle	Database Server	XML Developers Kit Version 11.2.0.4

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle CPUJan2015 du 20 janvier 2015

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "XML Developers Kit Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-6577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6577"
    },
    {
      "name": "CVE-2015-0370",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0370"
    },
    {
      "name": "CVE-2015-0371",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0371"
    },
    {
      "name": "CVE-2014-6567",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6567"
    },
    {
      "name": "CVE-2015-0373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0373"
    },
    {
      "name": "CVE-2014-6514",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6514"
    },
    {
      "name": "CVE-2014-6541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6541"
    },
    {
      "name": "CVE-2014-6578",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6578"
    }
  ],
  "links": [],
  "reference": "CERTFR-2015-AVI-033",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2015-01-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Database Server\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es, une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, ou une \u00e9l\u00e9vation de\nprivil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle CPUJan2015 du 20 janvier 2015",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    }
  ]
}

CERTFR-2015-AVI-033

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	XML Developers Kit Version 11.2.0.3
Oracle	Database Server	OLAP Version 11.1.0.7
Oracle	Database Server	XML Developers Kit Version 12.1.0.2
Oracle	Database Server	PL/SQL Version 12.1.0.1
Oracle	Database Server	Oracle Database Version 12.1.0.2
Oracle	Database Server	PL/SQL Version 11.1.0.7
Oracle	Database Server	Workspace Manager Version 11.2.0.3
Oracle	Database Server	Oracle Database Version 11.1.0.7
Oracle	Database Server	PL/SQL Version 11.2.0.3
Oracle	Database Server	OLAP Version 12.1.0.1
Oracle	Database Server	PL/SQL Version 11.2.0.4
Oracle	Database Server	OLAP Version 12.1.0.2
Oracle	Database Server	Workspace Manager Version 12.1.0.1
Oracle	Database Server	Workspace Manager Version 11.2.0.4
Oracle	Database Server	Workspace Manager Version 11.1.0.7
Oracle	Database Server	Oracle Database Version 11.2.0.4
Oracle	Database Server	OLAP Version 11.2.0.3
Oracle	Database Server	Oracle Database Version 12.1.0.1
Oracle	Database Server	OLAP Version 11.2.0.4
Oracle	Database Server	XML Developers Kit Version 12.1.0.1
Oracle	Database Server	Oracle Database Version 11.2.0.3
Oracle	Database Server	XML Developers Kit Version 11.2.0.4

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle CPUJan2015 du 20 janvier 2015

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "XML Developers Kit Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PL/SQL Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 12.1.0.2",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Workspace Manager Version 11.1.0.7",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "OLAP Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 12.1.0.1",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Version 11.2.0.3",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "XML Developers Kit Version 11.2.0.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-6577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6577"
    },
    {
      "name": "CVE-2015-0370",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0370"
    },
    {
      "name": "CVE-2015-0371",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0371"
    },
    {
      "name": "CVE-2014-6567",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6567"
    },
    {
      "name": "CVE-2015-0373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-0373"
    },
    {
      "name": "CVE-2014-6514",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6514"
    },
    {
      "name": "CVE-2014-6541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6541"
    },
    {
      "name": "CVE-2014-6578",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-6578"
    }
  ],
  "links": [],
  "reference": "CERTFR-2015-AVI-033",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2015-01-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Database Server\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es, une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, ou une \u00e9l\u00e9vation de\nprivil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle CPUJan2015 du 20 janvier 2015",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    }
  ]
}

GSD-2014-6577

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-6577

Aliases

CVE-2014-6577

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-6577",
    "description": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.",
    "id": "GSD-2014-6577"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-6577"
      ],
      "details": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.",
      "id": "GSD-2014-6577",
      "modified": "2023-12-13T01:22:50.138979Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert_us@oracle.com",
        "ID": "CVE-2014-6577",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "72139",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/72139"
          },
          {
            "name": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/",
            "refsource": "MISC",
            "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
          },
          {
            "name": "1031572",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1031572"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2014-6577"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
            },
            {
              "name": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/"
            },
            {
              "name": "1031572",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1031572"
            },
            {
              "name": "72139",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/72139"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2016-11-28T19:12Z",
      "publishedDate": "2015-01-21T15:28Z"
    }
  }
}

GHSA-H2VF-9R2M-CHG4

Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2025-04-12 12:44

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-6577"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-21T15:28:00Z",
    "severity": "MODERATE"
  },
  "details": "Unspecified vulnerability in the XML Developer\u0027s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher\u0027s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.",
  "id": "GHSA-h2vf-9r2m-chg4",
  "modified": "2025-04-12T12:44:23Z",
  "published": "2022-05-17T03:46:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6577"
    },
    {
      "type": "WEB",
      "url": "https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72139"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031572"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-6577 (GCVE-0-2014-6577)

FKIE_CVE-2014-6577

CNVD-2015-00490

CERTFR-2015-AVI-033

Solution

CERTFR-2015-AVI-033

Solution

GSD-2014-6577

GHSA-H2VF-9R2M-CHG4

Tags

Sightings

Nomenclature