CVE-2006-5336

Vulnerability Description

Multiple unspecified vulnerabilities in the Change Data Capture (CDC) component in Oracle Database 9.2.0.7, 10.1.0.5, and have unknown impact and remote authenticated attack vectors related to (1) sys.dbms_cdc_ipublish (Vuln# DB05) and (2) sys.dbms_cdc_isubscribe (DB06). NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB05 is for SQL injection in CREATE_CHANGE_TABLE and CHANGE_TABLE_TRIGGER, and DB06 is for PL/SQL injection in the PREPARE_UNBOUNDED_VIEW procedure.

CVSS Score

Affected Products

References

• http://secunia.com/advisories/22396Vendor Advisory
• http://securitytracker.com/id?1017077
• http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf
• http://www.kb.cert.org/vuls/id/446100US Government Resource
• http://www.kb.cert.org/vuls/id/716964US Government Resource
• http://www.oracle.com/technetwork/topics/security/cpuoct2006-095368.html
• http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
• http://www.securityfocus.com/archive/1/449110/100/0/threaded
• http://www.securityfocus.com/archive/1/449711/100/0/threaded
• http://www.securityfocus.com/bid/20588Patch
• http://www.us-cert.gov/cas/techalerts/TA06-291A.htmlUS Government Resource
• http://www.vupen.com/english/advisories/2006/4065Vendor Advisory
• http://secunia.com/advisories/22396Vendor Advisory
• http://securitytracker.com/id?1017077
• http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf