Vulnerability Description
The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Application Server | All versions |
| Oracle | Collaboration Suite | release_1 |
| Oracle | E-Business Suite | 11.5.1 |
| Oracle | Enterprise Manager | 9 |
| Oracle | Enterprise Manager Database Control | 10.1.2 |
| Oracle | Enterprise Manager Grid Control | 10.1.0.2 |
| Oracle | Oracle10G | enterprise_9.0.4_.0 |
| Oracle | Oracle8I | enterprise_8.0.5_.0.0 |
| Oracle | Oracle9I | client_9.2.0.1 |
References
- http://marc.info/?l=bugtraq&m=110382306006205&w=2
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1
- http://www.kb.cert.org/vuls/id/435974Third Party AdvisoryUS Government Resource
- http://www.ngssoftware.com/advisories/oracle23122004G.txtPatchVendor Advisory
- http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfPatchVendor Advisory
- http://www.securityfocus.com/bid/10871Patch
- http://www.us-cert.gov/cas/techalerts/TA04-245A.htmlPatchThird Party AdvisoryUS Government Resource
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18657
- http://marc.info/?l=bugtraq&m=110382306006205&w=2
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1
- http://www.kb.cert.org/vuls/id/435974Third Party AdvisoryUS Government Resource
- http://www.ngssoftware.com/advisories/oracle23122004G.txtPatchVendor Advisory
- http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfPatchVendor Advisory
- http://www.securityfocus.com/bid/10871Patch
- http://www.us-cert.gov/cas/techalerts/TA04-245A.htmlPatchThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2004-1362?
CVE-2004-1362 is a vulnerability with a CVSS score of 7.5 (HIGH). The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers...
How severe is CVE-2004-1362?
CVE-2004-1362 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2004-1362?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Enterprise Manager Database Control.