CVE-2007-2108
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 on Windows allows remote attackers to have an unknown impact, aka DB01. NOTE: as of 20070424, Oracle has not disputed reliable claims that this issue occurs because the NTLM SSPI AcceptSecurityContext function grants privileges based on the username provided even though all users are authenticated as Guest, which allows remote attackers to gain privileges.
Una vulnerabilidad no especificada en el componente Core RDBMS en Oracle Database versiones 9.0.1.5, 9.2.0.8, 10.1.0.5 y 10.2.0.2 en Windows permite a los atacantes remotos tener un impacto desconocido, también se conoce como DB01. NOTA: a partir de 24-04-2007, Oracle no ha cuestionado las afirmaciones confiables de que este problema se produce porque la función NTLM SSPI AcceptSecurityContext concede privilegios basados en el nombre de usuario proporcionado, aunque todos los usuarios se autentican como invitado, lo que permite el control remoto atacantes para alcanzar privilegios.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-04-18 CVE Reserved
- 2007-04-18 CVE Published
- 2024-08-07 CVE Updated
- 2024-10-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_April_2007_Analysis.pdf | X_refsource_misc | |
| http://www.kb.cert.org/vuls/id/809457 | Third Party Advisory |
|
| http://www.ngssoftware.com/papers/database-on-xp.pdf | X_refsource_misc | |
| http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf | X_refsource_misc | |
| http://www.oracle.com/technetwork/topics/security/cpuapr2007-090632.html | X_refsource_confirm |
|
| http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html | X_refsource_misc | |
| http://www.securityfocus.com/bid/23532 | Vdb Entry | |
| http://www.securitytracker.com/id?1017927 | Vdb Entry | |
| http://www.us-cert.gov/cas/techalerts/TA07-108A.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.securityfocus.com/archive/1/466329/100/200/threaded | 2018-10-16 | |
| http://www.vupen.com/english/advisories/2007/1426 | 2018-10-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | * | - |
Affected
| in | Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 9.0.1.5 Search vendor "Oracle" for product "Database Server" and version "9.0.1.5" | - |
Affected
|
| Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | * | - |
Affected
| in | Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 9.2.0.8 Search vendor "Oracle" for product "Database Server" and version "9.2.0.8" | - |
Affected
|
| Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | * | - |
Affected
| in | Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 10.1.0.5 Search vendor "Oracle" for product "Database Server" and version "10.1.0.5" | - |
Affected
|
| Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | * | - |
Affected
| in | Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 10.2.0.2 Search vendor "Oracle" for product "Database Server" and version "10.2.0.2" | - |
Affected
|