CVE-2006-5340

Vulnerability Description

Multiple unspecified vulnerabilities in Oracle Spatial component in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 have unknown impact and remote authenticated attack vectors related to (1) mdsys.sdo_lrs, aka Vuln# DB13, and (2) Vuln# DB17. NOTE: as of 20061023, Oracle has not disputed reports from reliable third parties that DB13 is related to bypassing input validation for SQL injection related to convert_to_lrs_layer and dbms_assert, and DB17 is related to SQL injection in the trigger in the SDO_DROP_USER package.

CVSS Score

Affected Products

References

• http://archive.cert.uni-stuttgart.de/archive/bugtraq/2006/07/msg00489.html
• http://archive.cert.uni-stuttgart.de/archive/bugtraq/2006/07/msg00500.html
• http://secunia.com/advisories/22396Vendor Advisory
• http://securitytracker.com/id?1017077
• http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf
• http://www.kb.cert.org/vuls/id/869292US Government Resource
• http://www.oracle.com/technetwork/topics/security/cpuoct2006-095368.html
• http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
• http://www.red-database-security.com/wp/bypass_dbms_assert.pdf
• http://www.securityfocus.com/archive/1/449110/100/0/threaded
• http://www.securityfocus.com/archive/1/449512/100/0/threaded
• http://www.securityfocus.com/archive/1/449711/100/0/threaded
• http://www.securityfocus.com/bid/20588Patch
• http://www.us-cert.gov/cas/techalerts/TA06-291A.htmlUS Government Resource
• http://www.vupen.com/english/advisories/2006/4065Vendor Advisory