cve-2015-0393
Vulnerability from cvelistv5
Published
2015-01-21 18:00
Modified
2024-08-06 04:10
Severity ?
Summary
Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.
References
secalert_us@oracle.comhttp://www.databaseforensics.com/Oracle_Jan2015_CPU.pdfVendor Advisory
secalert_us@oracle.comhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlPatch, Vendor Advisory
secalert_us@oracle.comhttp://www.securityfocus.com/bid/72230
secalert_us@oracle.comhttp://www.securitytracker.com/id/1031579
secalert_us@oracle.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/100097
af854a3a-2127-422b-91ae-364da2661108http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdfVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/72230
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1031579
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/100097
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:10:10.549Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "oracle-cpujan2015-cve20150393(100097)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100097"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf"
          },
          {
            "name": "72230",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/72230"
          },
          {
            "name": "1031579",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1031579"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher\u0027s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a \"seeded install,\" which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T15:57:01",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "oracle-cpujan2015-cve20150393(100097)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100097"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf"
        },
        {
          "name": "72230",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/72230"
        },
        {
          "name": "1031579",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1031579"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2015-0393",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher\u0027s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a \"seeded install,\" which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "oracle-cpujan2015-cve20150393(100097)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100097"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
            },
            {
              "name": "http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf",
              "refsource": "MISC",
              "url": "http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf"
            },
            {
              "name": "72230",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/72230"
            },
            {
              "name": "1031579",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1031579"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2015-0393",
    "datePublished": "2015-01-21T18:00:00",
    "dateReserved": "2014-12-17T00:00:00",
    "dateUpdated": "2024-08-06T04:10:10.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80B61990-9CC2-4215-9879-AC817F4E6767\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4C6BAB4D-1DF5-4ECB-A07E-297A94664BBE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E42C3CE-CA98-4C13-B41E-DF7A3FEC560F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:12.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99EF853E-9772-4678-88BB-5FEFE796D9AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"86D2B444-B8D8-4A3D-BCCA-3B5280F05A38\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FDD0B52-77F6-4607-84F8-1BCF99DB1B23\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher\u0027s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a \\\"seeded install,\\\" which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad no especificada en el componente Oracle Applications DBA en Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, y 12.2.4 permite a usuarios remotos autenticados afectar la confidencialidad, la integridad y la disponibilidad a trav\\u00e9s de vectores desconocidos relacionados con privilegios DB. NOTA: la informaci\\u00f3n anterior es de la CPU de enero del 2015. Oracle no ha comentado sobre la declaraci\\u00f3n del investigador original de que el rol PUBLIC se le cede el privilegio INDEX para la tabla DUAL durante una instalaci\\u00f3n inicializada (\u0027seeded install,\u0027) lo que permite a usuarios remotos autenticados ganar privilegios SYSDBA y ejecutar c\\u00f3digo arbitrario.\"}]",
      "id": "CVE-2015-0393",
      "lastModified": "2024-11-21T02:22:58.877",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2015-01-21T18:59:36.933",
      "references": "[{\"url\": \"http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/72230\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.securitytracker.com/id/1031579\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/100097\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/72230\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1031579\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/100097\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert_us@oracle.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-0393\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2015-01-21T18:59:36.933\",\"lastModified\":\"2024-11-21T02:22:58.877\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher\u0027s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a \\\"seeded install,\\\" which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad no especificada en el componente Oracle Applications DBA en Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, y 12.2.4 permite a usuarios remotos autenticados afectar la confidencialidad, la integridad y la disponibilidad a trav\u00e9s de vectores desconocidos relacionados con privilegios DB. NOTA: la informaci\u00f3n anterior es de la CPU de enero del 2015. Oracle no ha comentado sobre la declaraci\u00f3n del investigador original de que el rol PUBLIC se le cede el privilegio INDEX para la tabla DUAL durante una instalaci\u00f3n inicializada (\u0027seeded install,\u0027) lo que permite a usuarios remotos autenticados ganar privilegios SYSDBA y ejecutar c\u00f3digo arbitrario.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80B61990-9CC2-4215-9879-AC817F4E6767\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C6BAB4D-1DF5-4ECB-A07E-297A94664BBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E42C3CE-CA98-4C13-B41E-DF7A3FEC560F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:12.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99EF853E-9772-4678-88BB-5FEFE796D9AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86D2B444-B8D8-4A3D-BCCA-3B5280F05A38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FDD0B52-77F6-4607-84F8-1BCF99DB1B23\"}]}]}],\"references\":[{\"url\":\"http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72230\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.securitytracker.com/id/1031579\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/100097\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72230\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1031579\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/100097\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.