CVE-2008-6065

Published Feb 5, 2009

Last updated 6 years ago

Overview

Description: Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 5.1
Impact score: 6.4
Exploitability score: 4.9
Vector string: AV:N/AC:H/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-264

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:database_server:10.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C5331B51-3E41-435D-B1F7-537D58D169E3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:database_server:10.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D38D9C32-FD97-422E-AAE8-55790D4A1AC5"
          },
          {
            "criteria": "cpe:2.3:a:oracle:database_server:11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8992F179-EC97-4380-B8BC-29111E03823D"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References