CVE-2019-2484
https://notcve.org/view.php?id=CVE-2019-2484
Vulnerability in the Application Express component of Oracle Database Server. Supported versions that are affected are 5.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Valid Account privilege with network access via HTTP to compromise Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Application Express accessible data as well as unauthorized read access to a subset of Application Express accessible data. • http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html •
CVE-2012-3220
https://notcve.org/view.php?id=CVE-2012-3220
Unspecified vulnerability in the Spatial component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users with Create Session privileges to affect confidentiality, integrity, and availability via unknown vectors. Vulnerabilidad no especificada en el componente Spatial en Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 y 11.2.0.3 permite a usuarios autenticados remotos con privilegios Create Session afectar a la confidencialidad, integridad y disponibilidad a través de vectores desconocidos. • http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17022 •
CVE-2012-3146
https://notcve.org/view.php?id=CVE-2012-3146
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect integrity via unknown vectors. Vulnerabilidad no especificada en el componente Core RDBMS en Oracle Database Server v10.2.0.3, v10.2.0.4, v10.2.0.5, v11.1.0.7, v11.2.0.2 y v11.2.0.3 permite a usuarios autenticados remotos afectar la integridad mediante vectores desconocidos • http://osvdb.org/86387 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html •
CVE-2012-3137 – Oracle Database - Protocol Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-3137
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability." El protocolo de autenticación en Oracle Database 11g 1 y 2 permite a atacantes remotos obtener la clave y la "salt" de sesión para usuarios de su elección, lo cual provoca fugas de información sobre el hash criptográfico y hace que sea más fácil ataques de fuerza bruta para adivinar la contraseña. Se trata de un problema también conocido como "vulnerabilidad de ruptura de contraseñas". Oracle database versions 11g R1 and R2 suffers from an authentication bypass vulnerability. • https://www.exploit-db.com/exploits/22069 http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html http://www.exploit-db.com/exploits/22069 http://www.mandriva.com/security • CWE-287: Improper Authentication •
CVE-2012-3132
https://notcve.org/view.php?id=CVE-2012-3132
SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and DBMS_STATS.GATHER_TABLE_STATS. Vulnerabilidad de inyección SQL en Oracle Database Server v10.2.0.3, v10.2.0.4, v10.2.0.5, v11.1.0.7, v11.2.0.2, y v11.2.0.3, permite a atacantes remotos ejecutar comandos SQL de su elección mediante vectores que comprenden CREATE INDEX con un CTXSYS.CONTEXT INDEXTYPE y DBMS_STATS.GATHER_TABLE_STATS. • http://www.darkreading.com/database-security/167901020/security/news/240004776/hacking-oracle-database-indexes.html http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.networkworld.com/news/2012/072712-black-hat-shark-bitten-security-researcher-261203.html http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html http://www.securitytracker.com/id?1027367 http://www.teamshatter.com/topics/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •