CVE-2006-0586
CVE-2006-0586
Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.
Affected products
n/a · n/apublic PoCs found — 3
exploitdbwww.exploit-db.com/exploits/3179unverifiedexploitdbwww.exploit-db.com/exploits/3359unverifiedexploitdbwww.exploit-db.com/exploits/3376unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041498.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041499.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/24195https://exchange.xforce.ibmcloud.com/vulnerabilities/24197http://www.osvdb.org/22839http://www.osvdb.org/22840http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_kupv%24ft.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_kupv%24ft_int.htmlhttp://www.securityfocus.com/archive/1/422423/30/7370/threadedhttp://www.securityfocus.com/archive/1/422424/30/7370/threadedhttp://www.securityfocus.com/bid/16294