CVE-2019-2799
Oracle Database ODBC Driver Heap-based Buffer Overflow Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Vulnerability in the Oracle ODBC Driver component of Oracle Database Server<span class=font-red><b> ***PRIVILEGE CANNOT BE NONE FOR AUTHENTICATED ATTACKS***</b></span>. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Difficult to exploit vulnerability allows low privileged attacker having None privilege with network access via multiple protocols to compromise Oracle ODBC Driver. Successful attacks of this vulnerability can result in takeover of Oracle ODBC Driver. Note: The vulnerability affects Windows platforms only. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Vulnerabilidad en el componente Oracle ODBC Driver de Oracle Database Server<b> ***EL PRIVILEGIO NO PUEDE SER NINGUNO PARA ATAQUES AUTENTICADOS***</b>. Las versiones compatibles que se ven afectadas son 11.2.0.4, 12.1.0.2, 12.2.0.1 y 18c. Una vulnerabilidad difícil de explotar permite a un atacante con pocos privilegios no tener privilegio con acceso a la red por medio de múltiples protocolos para comprometer el controlador ODBC de Oracle. Nota: La vulnerabilidad afecta solo a las plataformas Windows. CVSS 3.0 Puntuación base 7.5 (Impactos de confidencialidad, integridad y disponibilidad). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle Database. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the ODBC driver. When parsing certain attributes, the process does not properly validate user-supplied data prior to copying it to a fixed-length, heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2018-12-14 CVE Reserved
- 2019-07-22 CVE Published
- 2024-09-26 EPSS Updated
- 2024-10-15 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | 2020-08-24 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 11.2.0.4 Search vendor "Oracle" for product "Database Server" and version "11.2.0.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 12.1.0.2 Search vendor "Oracle" for product "Database Server" and version "12.1.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 12.2.0.1 Search vendor "Oracle" for product "Database Server" and version "12.2.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Database Server Search vendor "Oracle" for product "Database Server" | 18c Search vendor "Oracle" for product "Database Server" and version "18c" | - |
Affected
|