Remote Code Execution Vulnerability in Oracle Database Server and Enterprise Manager
CVE-2010-3600

Currently unrated

Key Information:

Vendor: Oracle
Status: Database Server; Enterprise Manager Grid Control
Vendor: CVE Published:; 19 January 2011

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 75%

Summary

An unspecified vulnerability in the Client System Analyzer component of the Oracle Database Server versions 11.1.0.7 and 11.2.0.1, as well as Enterprise Manager Grid Control version 10.2.0.5, allows remote attackers to potentially compromise the confidentiality, integrity, and availability of affected systems. This issue may be linked to an exposed JSP script that permits XML uploads combined with NULL byte injections in an unspecified parameter, potentially leading to the execution of arbitrary code. Users are urged to apply security measures to protect their systems from potential exploits.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2010-3600-PythonHackOracle11gR2
Created by LAITRUNGMINHDUC

References

http://www.vupen.com/english/advisories/2011/0139

vdb-entryx_refsource_VUPEN

http://www.securitytracker.com/id?1024972

vdb-entryx_refsource_SECTRACK

http://www.securityfocus.com/bid/45883

vdb-entryx_refsource_BID

EPSS Score

75% chance of being exploited in the next 30 days.

Timeline

🟡
Public PoC available
Jul 20, 2018
👾
Exploit known to exist
Jul 20, 2018
Vulnerability published
Jan 19, 2011
Vulnerability Reserved
Sep 20, 2010