CVE-2012-3132

high

Description

SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and DBMS_STATS.GATHER_TABLE_STATS.

References

https://blogs.oracle.com/security/entry/security_alert_cve_2012_3132

http://www.teamshatter.com/topics/general/team-shatter-exclusive/ctxsys-context-privilege-escalation/

http://www.securitytracker.com/id?1027367

http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

http://www.networkworld.com/news/2012/072712-black-hat-shark-bitten-security-researcher-261203.html

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

http://www.darkreading.com/database-security/167901020/security/news/240004776/hacking-oracle-database-indexes.html

Details

Source: Mitre, NVD

Published: 2012-08-10

Updated: 2013-10-11

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High