Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14805
HistoryOct 26, 2006 - 12:00 a.m.

SQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL

2006-10-2600:00:00
vulners.com
20
JSON

Name SQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL (6980745) [DB10]
Systems Affected Oracle 8i-10g Rel. 2
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Advisory 18 October 2006 (V 1.00)
Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_
sqltune_internal.html

Details
#######
The package DBMS_SQLTUNE_INTERNAL contains SQL injection vulnerabilities. in I_SET_TUNING_PARAMETER and SELECT_SQLSET. Oracle fixed this by using bind variables in their dynamic SQL statements.

Patch Information
#################
Apply the patches for Oracle CPU October 2006.

History
#######
1-nov-2005 Oracle secalert was informed
18-oct-2006 Oracle published CPU October 2006 [DB13]
18-oct-2006 Advisory published

Additional Information
######################
An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

JSON