SQL Injection Vulnerability in Oracle Database 10g by Oracle
CVE-2008-3979

Currently unrated

Key Information:

Vendor: Oracle
Status: Database 10g
Vendor: CVE Published:; 14 January 2009

Summary

An unspecified vulnerability in the Oracle Spatial component affects versions 10.1.0.5 and 10.2.0.2 of Oracle Database. This flaw allows remote authenticated users to potentially compromise confidentiality and integrity through unknown vectors. Claims from reliable researchers suggest this issue may be related to SQL injection, enabling unauthorized access to MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger. Organizations using these affected versions of Oracle Database should take immediate precautions to mitigate the risks associated with this vulnerability.

References

http://osvdb.org/51354

vdb-entryx_refsource_OSVDB

http://secunia.com/advisories/33525

third-party-advisoryx_refsource_SECUNIA

http://www.securitytracker.com/id?1021561

vdb-entryx_refsource_SECTRACK

EPSS Score

54% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jan 14, 2009
Vulnerability Reserved
Sep 9, 2008