CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2007-6260
https://notcve.org/view.php?id=CVE-2007-6260
The installation process for Oracle 10g and llg uses accounts with default passwords, which allows remote attackers to obtain login access by connecting to the Listener. NOTE: at the end of the installation, if performed using the Database Configuration Assistant (DBCA), most accounts are disabled or their passwords are changed. El proceso de instalación de Oracle 10g y llg utiliza cuentas con contraseñas por defecto, lo cual permite a atacantes remotos obtener acceso autenticado conectándose al Listener. NOTA: al final de la instalación, si se lleva a cabo utilizando el Asistente de Configuración de Base de Datos (DBCA), la mayoría de las cuentas son deshabilitadas o sus contraseñas son cambiadas. • http://osvdb.org/43673 http://securityreason.com/securityalert/3419 http://www.davidlitchfield.com/blog/archives/00000030.htm http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database_20071108.pdf http://www.securityfocus.com/archive/1/483652/100/200/threaded http://www.securityfocus.com/bid/26425 • CWE-255: Credentials Management Errors •
CVSS: 8.5EPSS: 0%CPEs: 10EXPL: 0CVE-2007-5897
https://notcve.org/view.php?id=CVE-2007-5897
Buffer overflow in MDSYS.SDO_CS in Oracle Database Server 8iR3, 9iR1, 9iR2 up to 9.2.0.6, and 10gR1 up to 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via the TRANSFORM function. NOTE: this issue might already be covered by CVE-2007-5515, CVE-2007-5509, or CVE-2007-5505, but there are insufficient details to be sure. Desbordamiento de búfer en MDSYS.SDO_CS de Oracle Database Server 8iR3, 9iR1, 9iR2 hasta 9.2.0.6, y 10gR1 hasta 10.1.0.4 permite a usuarios autenticados remotos provocar una denegación de servicio (caída) y ejecutar código de su elección mediante la función TRANSFORM. NOTA: este asunto podría estar ya cubierto por CVE-2007-5515, CVE-2007-5509, o CVE-2007-5505, pero no hay suficientes detalles como para estar seguros. • http://osvdb.org/40081 http://www.oracle.com/technetwork/topics/security/cpuoct2007-092913.html http://www.securityfocus.com/archive/1/482918/100/100/threaded http://www.securityfocus.com/bid/26243 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.0EPSS: 85%CPEs: 1EXPL: 1CVE-2007-4517 – Oracle - xdb.xdb_pitrig_pkg.PITRIG_DROPMETADATA procedure
https://notcve.org/view.php?id=CVE-2007-4517
Buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure in Oracle 10g R2 allows remote authenticated users to execute arbitrary code via a long (1) OWNER or (2) NAME argument. Desbordamiento de búfer en el procedimiento XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA en Oracle 10g R2 permite a usuarios remotos autenticados ejecutar código de su elección mediante un argumento (1) OWNER o (2) NAME. • https://www.exploit-db.com/exploits/18093 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=622 http://secunia.com/advisories/27526 http://securityreason.com/securityalert/8524 http://www.securityfocus.com/archive/1/483434/100/0/threaded http://www.securityfocus.com/bid/26374 http://www.securitytracker.com/id?1018908 http://www.vupen.com/english/advisories/2007/3803 https://exchange.xforce.ibmcloud.com/vulnerabilities/38318 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5554
https://notcve.org/view.php?id=CVE-2007-5554
Oracle allows remote attackers to obtain server memory contents via crafted packets, aka Oracle reference number 7892711. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. Oracle permite a atacantes remotos obtener contenidos de memoria del servidor mediante paquetes manipulados, también conocido como Oracle reference number 7892711. NOTA: A fecha de 20071016, la única revelación es un vago pre-aviso sin información de uso inmediato. Sin embargo, dado que proviene de un investigador reputado, se le ha asignado un identificador CVE por temas de seguimiento. • http://www.irmplc.com/index.php/111-Vendor-Alerts • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0CVE-2007-5506
https://notcve.org/view.php?id=CVE-2007-5506
The Core RDBMS component in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote attackers to cause a denial of service (CPU consumption) via a crafted type 6 Data packet, aka DB20. El núcleo del componente RDBMS en Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, y 10.2.0.3 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) mediante un paquete de datos tipo 6 manipulado artesanalmente, también conocido como DB20. • http://marc.info/?l=bugtraq&m=119332677525918&w=2 http://secunia.com/advisories/27251 http://secunia.com/advisories/27409 http://securityreason.com/securityalert/3244 http://www.oracle.com/technetwork/topics/security/cpuoct2007-092913.html http://www.securityfocus.com/archive/1/482424/100/0/threaded http://www.securityfocus.com/bid/26108 http://www.securitytracker.com/id?1018823 http://www.us-cert.gov/cas/techalerts/TA07-290A.html http://www.vupen.com/english/advisories/2007&#x • CWE-399: Resource Management Errors •