Summary
Oracle Forms and Reports Database Vulnerability
Impact
Unauthenticated remote attackers can dump usernames and passwords of the database.
Solution
Apply the patch from Oracle or upgrade to version 12 or higher.
Insight
An undocumented function of the PARSEQUERY function allows to take keymaps that are located in /reports/rwservlet/ and add them to the query which will allow to dump the database passwords.
Affected
Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0
Detection
Tries to dump at least one username and password of the database.
References
Severity
Classification
-
CVE CVE-2012-3153 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities