CVE-2006-2081
Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL
Severity Score
4.6
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
3
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not related to special characters, so this is not "SQL injection" per se.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2006-04-26 First Exploit
- 2006-04-27 CVE Reserved
- 2006-04-27 CVE Published
- 2024-08-07 CVE Updated
- 2024-08-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/19860 | Third Party Advisory | |
| http://securityreason.com/securityalert/802 | Third Party Advisory | |
| http://securitytracker.com/id?1015999 | Vdb Entry | |
| http://www.kb.cert.org/vuls/id/932124 | Third Party Advisory |
|
| http://www.securityfocus.com/archive/1/431353/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/archive/1/432078/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/archive/1/432354/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/archive/1/432355/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/archive/1/432632/30/5250/threaded | Mailing List | |
| http://www.securityfocus.com/bid/17699 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/26048 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/1719 | 2006-04-26 | |
| https://www.exploit-db.com/exploits/3269 | 2007-02-05 | |
| http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | * | - |
Affected
| ||||||