CVE-2014-6577
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.
Vulnerabilidad no especificada en el componente XML Developer's Kit for C en Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, y 12.1.0.2 permite a usuarios remotos autenticados afectar la confidencialidad a través de vectores desconocidos. NOTA: la información previa es la CPU de enero del 2015. Oracle no ha comentado sobre la declaración del investigador original de que esto se trata de una vulnerabilidad de entidad externa XML (XXE) en el analizador de XML, lo que permite a atacantes realizar el escaneo de puertos internos, realizar ataques de SSRF o causar una denegación de servicio a través de una URI (1) http: o (2) ftp: manipulada.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-09-17 CVE Reserved
- 2015-01-21 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/72139 | Vdb Entry | |
http://www.securitytracker.com/id/1031572 | Vdb Entry |
URL | Date | SRC |
---|---|---|
https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577 | 2024-08-06 |
URL | Date | SRC |
---|---|---|
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html | 2016-11-28 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 11.2.0.3 Search vendor "Oracle" for product "Database Server" and version "11.2.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 11.2.0.4 Search vendor "Oracle" for product "Database Server" and version "11.2.0.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 12.1.0.1 Search vendor "Oracle" for product "Database Server" and version "12.1.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 12.1.0.2 Search vendor "Oracle" for product "Database Server" and version "12.1.0.2" | - |
Affected
|